Why are hosts communicating with blacklisted IPs like match basebanner?
In my SIEM tool, I got multiple alerts for communication with malware sites from Palo Alto firewall. I have seen many outbound communications from internal IPs toward IP: 18.104.22.168 having host name: match.basebanner.com which has many blacklisted domains to which internal hosts are communicating.
Now I need to find out why these machines are communicating to these IPs. How to trace them and what proper remediation should I recommend to my client to handle them?
Regarding the match basebanner, you should tell your client that they need to run virus scans on the source IPs and to inspect the browsers of those machines. They can also run netstat on the Windows machines: netstat -a -o -p TCP That will show them the process that initiated each TCP connection. Once they know what is triggering the connections, they can plan how to address the problem.