Support is overwhelmed so I decided to come to Thwack. So just like many others we have rebuild our solarwinds server to 2020.2.1 HF2. The database was maintained (external SQL). The server was built new as windows 2019 with latest patches, then we installed Solarwinds Orion and updated to 2020.2.1 HF2, completed by 4:00PM. Then ~10 hours we see a DNS SOA and an AXFR (zone transfer) DNS requests for avsvmcloud.com (Sunbust C2 lookup?) come out from our solarwinds server.
DNS Log:
12/17/2020 12:14:11 AM 0424 PACKET 0000009BAD2A8040 TCP Rcv <SW_Server_IP> 67c9 Q [0001 D NOERROR] SOA (10)avsvmcloud(3)com(0)
12/17/2020 12:14:18 AM 0424 PACKET 0000009BAD2A8040 TCP Rcv <SW_Server_IP> ccea Q [0001 D NOERROR] AXFR (10)avsvmcloud(3)com(0)
What app or why would it do this??? Are we still compromised?
Additional notes:
1. We setup a forward lookup zone on our DNS servers to black hole the traffic to the C2 server
2. Our file has doesn't match the known good nor the known bad file SolarWinds.Core.BusinessLayer.dll hashes: CC870C07EEB672AB33136C2BE518173AD5564AF5D98BF032DA02367A9E349A76F
3. We have NPM, UDT, NCM, SAM, and IPAM modules deployed.
