A lot of traffic on port 443 (https) to ip 65.52.98.231

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

A lot of traffic on port 443 (https) to ip 65.52.98.231

L4 Transporter

Hello,

I have a lot connections from my firewall to public IP addresses 65.52.98.231 port 443.

Our SIEM correlated events and generating the following offense:

    Event Name:    Excessive Firewall Accepts From Multiple Sources to a Single Destination

    Low Level Category:    Firewall Permit

    Event Description:    Excessive Firewall Accepts were detected from multiple hosts to a single destination.  More than 100 events were detected from at least 100 unique source IP addresses in 5 minutes. This is common in large organization where the destination is a common web server like Google or a software update site, however connections to unknown hosts should be investigated.

    Paloalto event:

<14>Jul  1 06:14:52 1,2014/07/01 06:14:52,0003C102046,TRAFFIC,end,0,2014/07/01 06:14:51,XX.XX.XX.XX,65.52.98.231,XXX.X.XX.XX,65.52.98.231,usuarisInet,oa\segXX,,ms-product-activation,vsys1,Trust,Untrust,ethernet1/2,ethernet1/3,ACUNTIA,2014/07/01 06:14:51,238570,1,49266,443,19777,443,0x400000,tcp,allow,59379,38092,21287,69,2014/07/01 06:14:13,9,computer-and-internet-info,0,328805147,0x0,10.0.0.0-10.255.255.255,United States,0,39,30�

*Event     3772 events

http://forums.mydigitallife.info/threads/41010-KMSEmulator-KMS-Client-and-Server-Emulation-Source/pa...

Legal/illegal KMS activation. Any idea?

Could someone confirm these are bad and OK, to block?

...and another more:

IP addresses 134.170.184.137 port 80.

https://www.virustotal.com/es/ip-address/134.170.184.137/information/

https://malwr.com/analysis/NTk4N2E3N2Q2NjUzNGI1OGIzYzE1Mzc0OWI1MWQ2ODc/

IP addresses 134.170.189.4 port 80.

https://www.virustotal.com/es/ip-address/134.170.189.4/information/

https://malwr.com/analysis/ZTUxZmZlYzg3MmZkNDdmMDkyNWI2YmRlMzdmZjg0YmU/

IP addresses 64.4.11.25 port 80.

https://www.virustotal.com/es/ip-address/64.4.11.25/information/

Malwr - Malware Analysis by Cuckoo Sandbox

Regards and thanks,

Diego C:smileyconfused:

3 REPLIES 3

L6 Presenter

Hi COS,

65.52.98.231 is IP address of co2.sls.microsoft.com, hence it has to be genuine, give me some more time for further research.


Regards,

Hardik Shah

L6 Presenter

Hello COS,

5 Microsoft services are hosted on IP address in question. These services are used for activation and update stuff. Refer Bellow mentioned link.

https://www.robtex.com/dns/co2.sls.microsoft.com.html

Traffic log says application is "ms-product-activation". Hence I believe some of the applications are trying to activate itself.

Collect source IP addresses and provide it to system team to find out root cause of simultaneous activation logs.

Bottom line is its not a threat, its genuine traffic.

Even SIEM says Excessive session, not malicious session. Its just an alert to administrator, so he can varify if destination is malicious[torrent/bot/etc].

Regards,

Hardik Shah

L6 Presenter

Hello COS,

Please find WHOIS for new 3 IP addresses, they all belongs to Microsoft.

http://www.whois.com/whois/64.4.11.25

http://www.whois.com/whois/134.170.189.4

http://www.whois.com/whois/64.4.11.25

Moreover, virustotal result based on IP address doesnt prove any thing. Nobody can confirm if connections were malicious. In virus total results also most of the anti-virus are not detecting it as a virus.

Regards,

Hardik Shah

  • 4487 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!