Why are hosts communicating with blacklisted IPs like match basebanner?

372    Asked by ankurDwivedi in Cyber Security , Asked on Apr 8, 2022

 In my SIEM tool, I got multiple alerts for communication with malware sites from Palo Alto firewall. I have seen many outbound communications from internal IPs toward IP: 74.217.31.51 having host name: match.basebanner.com which has many blacklisted domains to which internal hosts are communicating.

Reference:

https://www.virustotal.com/en/domain/match.basebanner.com/information/https://www.virustotal.com/en/ip-address/74.217.31.51/information/

Now I need to find out why these machines are communicating to these IPs. How to trace them and what proper remediation should I recommend to my client to handle them?

Answered by Amit Sinha

Regarding the match basebanner, you should tell your client that they need to run virus scans on the source IPs and to inspect the browsers of those machines. They can also run netstat on the Windows machines: netstat -a -o -p TCP That will show them the process that initiated each TCP connection. Once they know what is triggering the connections, they can plan how to address the problem.



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com