topic Re: Getting Inbound connections from Malicious Palo Alto IP in General Topics

Getting Inbound connections from Malicious Palo Alto IP

ganapatimajhi — Tue, 10 Dec 2024 11:06:23 GMT

Hello all,

I've recently detected inbound traffic from an IP address 147.185.132.201 where the ISP is showing as Palo Alto Networks, Inc.
The IP has a malicious reputation over VT, AbuseIPDB, and IPVoid.

Can anyone with information about this IP address share their insights? Have you noticed any unusual activity associated with this IP? Are there any known affiliations or activities that could shed light on why it might be flagged?

Re: Getting Inbound connections from Malicious Palo Alto IP

Brandon_Wertz — Tue, 10 Dec 2024 17:20:34 GMT

@ganapatimajhi wrote:

Hello all,

I've recently detected inbound traffic from an IP address 147.185.132.201 where the ISP is showing as Palo Alto Networks, Inc.
The IP has a malicious reputation over VT, AbuseIPDB, and IPVoid.

Can anyone with information about this IP address share their insights? Have you noticed any unusual activity associated with this IP? Are there any known affiliations or activities that could shed light on why it might be flagged?

Kinda odd, who is shows it being actually a part of GPC, but Palo Alto. I know Palo's primary cloud services are hosted in GPC. I'm not sure what component of Palo's cloud service offering this IP would be coming from.

Looks like this is the email to report abuse, or if you're a palo customer I'd say open a ticket:

Re: Getting Inbound connections from Malicious Palo Alto IP

BPry — Wed, 11 Dec 2024 22:30:28 GMT

@ganapatimajhi,

I would actually say this isn't really that abnormal. Due to scanning (to help categorize websites properly) it isn't abnormal for my various networks/clients to identify traffic against PAN maintained addresses and our automation to step in and deny the traffic. It's pretty common when we spin up new services to see an increase in traffic.

Re: Getting Inbound connections from Malicious Palo Alto IP

Adrian_Jensen — Thu, 12 Dec 2024 02:53:40 GMT

As @BPry says, PaloAlto scans seen websites for URL categorization. On my own website, I had never seen this in my logs until I went to it from behind a PA and my site has subsequently been surveyed frequently. This is normally a few pulls of base pages, similar to any other web spider (about 20 per week). I have never seen path traversal attempt, variable injection, or other common signs of malicious activity. A typical scan looks like this:

147.185.132.25 - - [11/Dec/2024:03:29:52 -0700] "GET / HTTP/1.1" 200 42 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"

The scans come from:

35.203.210.0/23 - GoogleCloud

147.185.132.0/23 - PaloAltoNetworks

162.216.149.0/24 - GoogleCloud

162.216.150.0/24 - GoogleCloud

198.235.24.0/24 - PaloAltoNetworks

205.210.31.0/24 - PaloAltoNetworks