Why are hosts communicating with blacklisted IPs like match basebanner?

361    Asked by ankurDwivedi in Cyber Security , Asked on Apr 8, 2022

 In my SIEM tool, I got multiple alerts for communication with malware sites from Palo Alto firewall. I have seen many outbound communications from internal IPs toward IP: 74.217.31.51 having host name: match.basebanner.com which has many blacklisted domains to which internal hosts are communicating.

Reference:

https://www.virustotal.com/en/domain/match.basebanner.com/information/https://www.virustotal.com/en/ip-address/74.217.31.51/information/

Now I need to find out why these machines are communicating to these IPs. How to trace them and what proper remediation should I recommend to my client to handle them?

Answered by Amit Sinha

Regarding the match basebanner, you should tell your client that they need to run virus scans on the source IPs and to inspect the browsers of those machines. They can also run netstat on the Windows machines: netstat -a -o -p TCP That will show them the process that initiated each TCP connection. Once they know what is triggering the connections, they can plan how to address the problem.



Your Answer

Interviews

Parent Categories