I was advised today of our on prem spiceworks instance reaching out to public IP 199.59.242.150 on port 80. Our instance is set up to scan our network every 3 hours for changes. Can anyone shed any light on why the spiceworks-finder process would be reaching out to an address that belongs to an advertising company?
there is more information on the IP address listed on the forum page
Came in today and checked the Indications of Compromise on our FirePower system. We normally get ~10 IoCs a week. Today, we’ve gotten over 50 (although I failed to check the system for a few days). All of them to the same IP:
199.59.242.150
All to port 443, so I can’t do much with the packets. AlienVault shows it as a spammer, as does Talos, but Ransomware Tracker is showing active ransomware on that IP. Can’t figure out what’s going on with this. None of the workstations I’ve scanned have com…
4 Spice ups
dbeato
May 1, 2018, 10:39pm
2
WattsDP:
I was advised today of our on prem spiceworks instance reaching out to public IP 199.59.242.150 on port 80. Our instance is set up to scan our network every 3 hours for changes. Can anyone shed any light on why the spiceworks-finder process would be reaching out to an address that belongs to an advertising company?
there is more information on the IP address listed on the forum pageFirePower Screaming?
Welcome to the community! I seen more reporting of this here:
https://community.ubnt.com/t5/UniFi-Routing-Switching/IPS-Alert-Network-Trojan/td-p/2278732
According to those it seems that it may be just web browsing and advertisements on sites, however, the PC in question here is our spiceworks server and no one logs in and does any web bowsing on it. The process that is reaching out to the site is a spiceworks process. Just trying to understand why spiceworks itself would be “Browsing”
dbeato
May 2, 2018, 4:31pm
4
Spiceworks uses ads so that might be the reason why.
