Getting Inbound connections from Malicious Palo Alto IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Getting Inbound connections from Malicious Palo Alto IP

L0 Member

Hello all,

I've recently detected inbound traffic from an IP address 147.185.132.201 where the ISP is showing as Palo Alto Networks, Inc. 
The IP has a malicious reputation over VT, AbuseIPDB, and IPVoid.

Can anyone with information about this IP address share their insights? Have you noticed any unusual activity associated with this IP? Are there any known affiliations or activities that could shed light on why it might be flagged?

3 REPLIES 3

L6 Presenter

@ganapatimajhi wrote:

Hello all,

I've recently detected inbound traffic from an IP address 147.185.132.201 where the ISP is showing as Palo Alto Networks, Inc. 
The IP has a malicious reputation over VT, AbuseIPDB, and IPVoid.

Can anyone with information about this IP address share their insights? Have you noticed any unusual activity associated with this IP? Are there any known affiliations or activities that could shed light on why it might be flagged?


Kinda odd, who is shows it being actually a part of GPC, but Palo Alto.  I know Palo's primary cloud services are hosted in GPC.  I'm not sure what component of Palo's cloud service offering this IP would be coming from.

 

 

Brandon_Wertz_0-1733851171658.png

 

Looks like this is the email to report abuse, or if you're a palo customer I'd say open a ticket:

 

Brandon_Wertz_1-1733851225578.png

 

Cyber Elite
Cyber Elite

@ganapatimajhi,

I would actually say this isn't really that abnormal. Due to scanning (to help categorize websites properly) it isn't abnormal for my various networks/clients to identify traffic against PAN maintained addresses and our automation to step in and deny the traffic. It's pretty common when we spin up new services to see an increase in traffic. 

L6 Presenter

As @BPry says, PaloAlto scans seen websites for URL categorization. On my own website, I had never seen this in my logs until I went to it from behind a PA and my site has subsequently been surveyed frequently. This is normally a few pulls of base pages, similar to any other web spider (about 20 per week). I have never seen path traversal attempt, variable injection, or other common signs of malicious activity. A typical scan looks like this:

 

147.185.132.25 - - [11/Dec/2024:03:29:52 -0700] "GET / HTTP/1.1" 200 42 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"

 

The scans come from:

35.203.210.0/23 - GoogleCloud

147.185.132.0/23 - PaloAltoNetworks

162.216.149.0/24 - GoogleCloud

162.216.150.0/24 - GoogleCloud

198.235.24.0/24 - PaloAltoNetworks

205.210.31.0/24 - PaloAltoNetworks

  • 451 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!