IP Address: 1.14.47.225Previously Malicious
IP Address: 1.14.47.225Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 1234 Scan SSH Listening 9 Shell Commands SCP Port 80 Scan Port 8080 Scan Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute Download File |
Associated Attack Servers |
35.156.38.213 95.154.21.210 118.218.209.149 123.132.238.210 218.146.15.97 |
IP Address |
1.14.47.225 |
|
Domain |
- |
|
ISP |
Tencent cloud computing |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-08-06 |
Last seen in Akamai Guardicore Segmentation |
2022-08-17 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/nc.openbsd scanned port 1234 on 27 IP Addresses |
Port 1234 Scan |
Process /dev/shm/apache2 scanned port 1234 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 1234 on 29 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /bin/bash scanned port 1234 on 27 IP Addresses |
Port 1234 Scan |
Process /bin/nc.openbsd scanned port 1234 on 27 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 4 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.220.98.197:1234, 103.241.158.107:80, 103.241.158.107:8080, 114.50.115.10:80, 114.50.115.10:8080, 119.180.104.252:80, 119.180.104.252:8080, 120.236.79.182:1234, 124.136.121.141:80, 124.136.121.141:8080, 134.193.220.29:80, 134.193.220.29:8080, 136.145.5.140:80, 136.145.5.140:8080, 136.217.69.118:80, 136.217.69.118:8080, 141.42.33.124:80, 141.42.33.124:8080, 142.250.190.36:443, 147.182.233.56:1234, 160.201.116.229:80, 161.107.113.27:1234, 161.107.113.34:1234, 161.35.79.199:1234, 161.70.98.32:1234, 164.142.186.249:80, 17.229.138.81:80, 17.229.138.81:8080, 173.18.35.41:1234, 179.222.224.66:80, 179.222.224.66:8080, 183.213.26.13:1234, 191.242.188.103:1234, 20.125.252.172:80, 20.125.252.172:8080, 203.228.181.244:80, 203.228.181.244:8080, 206.142.176.88:80, 206.142.176.88:8080, 206.189.25.255:1234, 213.22.13.227:80, 213.22.13.227:8080, 214.249.130.3:80, 214.249.130.3:8080, 216.143.248.88:80, 216.143.248.88:8080, 218.146.15.97:1234, 22.52.191.253:80, 22.52.191.253:8080, 220.243.148.80:1234, 222.103.98.58:1234, 222.134.240.91:1234, 222.165.136.99:1234, 223.171.91.191:1234, 251.22.246.124:80, 251.22.246.124:8080, 253.58.31.141:80, 253.58.31.141:8080, 27.161.224.187:80, 27.161.224.187:8080, 31.19.237.170:1234, 39.132.75.187:80, 39.132.75.187:8080, 42.187.64.178:80, 42.187.64.178:8080, 57.181.185.159:80, 57.181.185.159:8080, 59.109.214.178:80, 59.109.214.178:8080, 61.84.162.66:1234, 62.12.106.5:1234, 62.78.71.124:80, 62.78.71.124:8080, 64.227.132.175:1234, 76.204.49.82:80, 76.204.49.82:8080, 80.147.162.151:1234, 82.161.209.154:80, 82.161.209.154:8080, 82.66.5.84:1234, 84.204.148.99:1234, 84.46.134.132:80, 90.79.198.186:80, 90.79.198.186:8080, 93.176.229.145:1234, 95.138.204.183:80 and 95.138.204.183:8080 |
|
Process /dev/shm/apache2 started listening on ports: 1234, 8080 and 8184 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 29 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 29 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed |
Download and Execute |
Process /usr/local/mysql/bin/mysqld started listening on ports: 3306 2 times |
Listening |
Connection was closed due to timeout |
|