12-10-2024 03:06 AM
Hello all,
I've recently detected inbound traffic from an IP address 147.185.132.201 where the ISP is showing as Palo Alto Networks, Inc.
The IP has a malicious reputation over VT, AbuseIPDB, and IPVoid.
Can anyone with information about this IP address share their insights? Have you noticed any unusual activity associated with this IP? Are there any known affiliations or activities that could shed light on why it might be flagged?
12-10-2024 09:20 AM
@ganapatimajhi wrote:
Hello all,
I've recently detected inbound traffic from an IP address 147.185.132.201 where the ISP is showing as Palo Alto Networks, Inc.
The IP has a malicious reputation over VT, AbuseIPDB, and IPVoid.Can anyone with information about this IP address share their insights? Have you noticed any unusual activity associated with this IP? Are there any known affiliations or activities that could shed light on why it might be flagged?
Kinda odd, who is shows it being actually a part of GPC, but Palo Alto. I know Palo's primary cloud services are hosted in GPC. I'm not sure what component of Palo's cloud service offering this IP would be coming from.
Looks like this is the email to report abuse, or if you're a palo customer I'd say open a ticket:
12-11-2024 02:30 PM
I would actually say this isn't really that abnormal. Due to scanning (to help categorize websites properly) it isn't abnormal for my various networks/clients to identify traffic against PAN maintained addresses and our automation to step in and deny the traffic. It's pretty common when we spin up new services to see an increase in traffic.
12-11-2024 06:53 PM
As @BPry says, PaloAlto scans seen websites for URL categorization. On my own website, I had never seen this in my logs until I went to it from behind a PA and my site has subsequently been surveyed frequently. This is normally a few pulls of base pages, similar to any other web spider (about 20 per week). I have never seen path traversal attempt, variable injection, or other common signs of malicious activity. A typical scan looks like this:
147.185.132.25 - - [11/Dec/2024:03:29:52 -0700] "GET / HTTP/1.1" 200 42 "-" "Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com"
The scans come from:
35.203.210.0/23 - GoogleCloud
147.185.132.0/23 - PaloAltoNetworks
162.216.149.0/24 - GoogleCloud
162.216.150.0/24 - GoogleCloud
198.235.24.0/24 - PaloAltoNetworks
205.210.31.0/24 - PaloAltoNetworks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
