Re: MALWARE-CNC Torpig bot sinkhole server DNS lookup

antonioa · ‎02-25-2019

I'm trying to figure out an interesting case I have on hand. Our SF IPS-es running on 6.1.0.3 (build 57) are detecting this CNC torpig bot sinkhole server DNS lookup events coming from our Internal Barracuda ESGs. We had called Barracuda technical support but they can't find from their side what is causing the issue. I talked to Cisco TAC and they believe there is a client relaying DNS queries thru these barracuda boxes. Has anyone experienced this same issue I'm having?

jgallegos74 · ‎03-25-2019

Hello antonioa, I am experiencing this issue as well right now. Was this issue ever resolved?

hns_cisco · ‎05-10-2019

Hello,

We are seeing a similar issue, did either manage to find the problem?

jgallegos74 · ‎05-10-2019

Still not resolved on my end.

Elijh80 · ‎05-24-2019

I am also seeing this particular situation.

RingoC · ‎06-07-2019

Any update on this?...I'm also seeing this

pmello · ‎01-22-2020

I had the same issue/event.

From previous inquiries to Barracuda support I know that the Barracuda will parse an email and follow the links looking for nefarious content

Googling the error I find that what's happening is someone is doing a DNS lookup on a known Botnet, that lookup is being redirected to a "sinkhole" server that will blackhole the attempted Bobnet connection.

Unless your Firepower is in Drop mode, you should see that the Barracuda (hopefully) blocks this email.

Pete