Support intro
First Seen: 29.01.2021
Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can
Nextcloud version (eg, 20.0.5): 20.0.7
Operating system and version (eg, Ubuntu 20.04): Ubuntu 16.04
Apache or nginx version (eg, Apache 2.4.25): Apache 2.4.46
PHP version (eg, 7.4): 7.4.12
The issue you are facing:
The Sophos Firewall send a Criticall Mail with the following message:
Advanced Threat Protection
A threat has been detected in your network The source IP/host listed below was found to communicate with a potentially malicious site outside your company.
Details about the alert:
Threat name…: C2/Generic-A
Details…: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/C2~Generic-A.aspx
Time…: 2021-03-15 20:18:55
Traffic blocked: yes
Source IP address or host: “local IP nextcloud server”
A look into the Sophos Logs are saying:
threatname=“C2/Generic-A” dstmac="00:1a:8c:f0:51:60"dstip=“61.219.11.153”
Is this the first time you’ve seen this error? No
Steps to replicate it:
- Run a Nextcloud behind a Sophos SG Firewall
- Watch the Log
Just seen on two different nextcloud behind a Sophos SG Firewall, where the traffic to 61.219.11.153 is blocked.
Why the nextcloud are trying to communicate with 61.219.11.153?