IP Address: 1.117.70.249Previously Malicious
IP Address: 1.117.70.249Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
System File Modification Port 1234 Scan SSH Listening SCP Port 80 Scan Port 8080 Scan Superuser Operation Outgoing Connection Successful SSH Login Download and Execute Download File 10 Shell Commands |
Associated Attack Servers |
13.92.34.175 35.205.189.29 59.3.186.45 95.154.21.210 103.90.177.102 118.41.204.72 118.218.209.149 120.224.34.31 123.132.238.210 124.223.14.100 125.160.115.47 147.182.233.56 154.16.35.136 161.35.79.199 161.70.98.32 172.64.110.32 172.64.111.32 172.64.200.11 172.64.201.11 183.213.26.13 191.242.182.210 191.242.188.103 206.189.25.255 209.216.177.158 209.216.177.238 211.162.184.120 218.146.15.97 222.103.98.58 222.165.136.99 |
IP Address |
1.117.70.249 |
|
Domain |
- |
|
ISP |
Tencent cloud computing |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-06-25 |
Last seen in Akamai Guardicore Segmentation |
2022-10-20 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/tmp/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 10 times |
Successful SSH Login |
./ifconfig was downloaded |
Download File |
/var/tmp/ifconfig was downloaded |
Download File |
/root/ifconfig was downloaded |
Download File |
System file /etc/apache2 was modified 4 times |
System File Modification |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /etc/ifconfig was downloaded and executed 6 times |
Download and Execute |
Process /bin/bash scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /etc/apache2 scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 1234 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
The file /etc/apache2 was downloaded and executed 78 times |
Download and Execute |
Process /etc/apache2 generated outgoing network traffic to: 1.1.1.1:443, 1.28.137.182:80, 1.28.137.182:8080, 101.42.90.177:1234, 103.152.118.20:1234, 109.39.99.4:80, 109.39.99.4:8080, 114.124.83.195:80, 114.124.83.195:8080, 117.16.44.111:1234, 117.54.14.169:1234, 120.31.133.162:1234, 122.78.50.85:80, 122.78.50.85:8080, 123.81.149.136:80, 123.81.149.136:8080, 124.223.14.100:1234, 136.236.249.225:80, 136.236.249.225:8080, 142.250.190.4:443, 145.127.227.171:80, 145.127.227.171:8080, 147.182.233.56:1234, 153.144.27.132:80, 153.144.27.132:8080, 153.191.129.8:80, 153.191.129.8:8080, 155.12.29.18:80, 155.12.29.18:8080, 161.35.79.199:1234, 161.70.98.32:1234, 172.64.200.11:443, 175.113.169.230:80, 175.113.169.230:8080, 187.127.216.33:80, 187.127.216.33:8080, 187.5.237.184:80, 187.5.237.184:8080, 190.12.120.30:1234, 190.138.240.233:1234, 190.52.191.207:80, 190.52.191.207:8080, 20.141.185.205:1234, 200.127.134.147:80, 204.133.245.241:80, 204.133.245.241:8080, 208.111.224.228:80, 21.42.108.17:80, 21.42.108.17:8080, 216.68.143.182:80, 22.233.83.58:80, 22.233.83.58:8080, 222.165.136.99:1234, 223.99.166.104:1234, 23.155.26.153:80, 253.237.178.148:80, 253.237.178.148:8080, 3.2.248.120:80, 3.2.248.120:8080, 34.35.81.253:80, 34.35.81.253:8080, 4.75.38.158:80, 4.75.38.158:8080, 5.76.106.150:80, 5.76.106.150:8080, 51.159.19.47:1234, 51.75.146.174:443, 52.131.32.110:1234, 55.235.138.99:80, 56.55.53.131:80, 56.55.53.131:8080, 58.229.125.66:1234, 59.3.186.45:1234, 6.1.217.20:80, 6.1.217.20:8080, 61.77.105.219:1234, 62.12.106.5:1234, 8.8.4.4:443, 8.8.8.8:443, 82.66.5.84:1234, 83.184.172.159:80, 83.184.172.159:8080, 85.105.82.39:1234, 89.212.123.191:1234, 90.26.250.204:80, 90.26.250.204:8080, 92.54.220.33:80, 92.54.220.33:8080 and 94.153.165.43:1234 |
Outgoing Connection |
Process /etc/apache2 started listening on ports: 1234, 8087 and 8186 |
Listening |
Process /etc/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 80 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 8080 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 003fc3b1c6259d744b011cde32a47e8cb0b00708ebec1465839b9c14279bc70b |
262144 bytes |
/var/tmp/ifconfig |
SHA256: 1b40245f21f1cb845b7fdf2428315166a8b1d8d5e1e42cd290cd8e479ed61ad7 |
2129920 bytes |
/var/tmp/ifconfig |
SHA256: 2fd96aa6470f930f543ef665fcc62ffa4dfe6646b8f506c11b452a191800285b |
2392064 bytes |
/var/tmp/ifconfig |
SHA256: 331f1ead3df8fed58ccf68da781f34b2f228a5c37f3bb245b836a4b49b1cf269 |
557056 bytes |
/var/tmp/ifconfig |
SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05 |
655360 bytes |
/var/tmp/ifconfig |
SHA256: 8a53c1d12942d21d2876a4b8d1eeed8a33a4a9d9f6d1ff3474980278e76a7cc9 |
1310720 bytes |
/var/tmp/ifconfig |
SHA256: 8e7cf70465391f66bc440eba9c30c73995725eaa95fe9f8ba9da6ecbe060c085 |
2424832 bytes |
/root/ifconfig |
SHA256: 93b5387c1ad89b1bba7a1c7ad722d5406dd174e58cd0a1de5a0684e02a83fd33 |
1474560 bytes |