Skip to main content

Bad External Server IP Address Connection

This event occurs when an additional internal host connects to a previously seen IP address that has been flagged as malicious by intelligence sources. If an application cannot be associated with a connection, Lacework generates a machine event.

Why this Event is Important

Connecting to a known, bad IP address may be the result of a compromised application or malware. The malicious IP address is typically a C&C (Command-and-Control) server and a compromised host may be used for anything from crypto-mining to DDOS attacks. Since at least one other host has connected to the IP address, extra attention should be given if the IP address has been determined to be malicious

Investigation

Verify that the IP was added to a denylist or blocklist using other sources. Examine any data transfer and determine if meaningful data has been exchanged - over 10 KB per connection. Look at the direction of transfer, for example, if this application does not typically connect to the Internet, even data transfer less than 10 KB per connection may indicate C&C (Command-and-Control).

Resolution

If the IP address is confirmed to be malicious, block the IP address and scan the local machine. Perform local forensics and then restore the machine to a known good state.