I saw a Anti-Bot log message
Destination Port: 53
IP Protocol: 17
Protection Name: Operator.Trojan-banker.Win32.Zeus.w.eb
Malware Family: Zeus
Description: DNS response was replaced with a DNS trap bogus IP. See sk74060 for more information.
Confidence Level: High
Malware Action: DNS query for a C&C site
Protection Type: DNS Reputation
Destination DNS Hostname: morejobs.ch
Vendor List: Check Point ThreatCloud
Product Family: Threat
The source of this DNS Request is an internal DNS Server. According to sk74060 the default value for DNS trap IP is 18.104.22.168.
To find the infected host i have to check the logs for access to 22.214.171.124. Is this correct? I see three access requests to 126.96.36.199. Logs like this below (i removed the IPs)
Service ID: http
Source Port: 52778
Destination Port: 80
IP Protocol: 6
Product Family: Access
Description: http Traffic Accepted from <removed> to 188.8.131.52
The <removed> IP address is now the infected client? Check Point is not logging this "bogus IP" (184.108.40.206) in any special way?
Is it a good idea to create a special Access Rule to Drop the Access to 220.127.116.11 and Log it with an Alert?
Btw. I am using R80.10