IP Address: 1.14.97.205Previously Malicious
IP Address: 1.14.97.205Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
22.108.193.170 24.32.65.138 25.224.195.70 37.139.19.182 51.159.19.47 72.234.46.152 74.76.251.50 83.135.103.145 101.43.184.100 112.193.177.90 115.209.220.154 122.159.227.77 124.222.191.233 134.206.135.250 139.148.26.70 141.172.192.187 173.111.9.240 173.249.168.222 178.147.146.105 185.202.130.8 204.190.47.192 206.43.55.240 222.165.136.99 |
IP Address |
1.14.97.205 |
|
Domain |
- |
|
ISP |
Tencent cloud computing |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-05 |
Last seen in Akamai Guardicore Segmentation |
2022-04-05 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 101.43.184.100:1234, 104.21.25.86:443, 11.153.68.229:80, 11.153.68.229:8080, 112.193.177.90:2222, 115.209.220.154:22, 122.159.227.77:2222, 124.182.189.37:80, 124.182.189.37:8080, 124.222.191.233:1234, 134.206.135.250:2222, 139.148.26.70:1234, 141.172.192.187:22, 150.123.84.139:80, 150.123.84.139:8080, 154.204.34.226:80, 154.204.34.226:8080, 158.215.29.13:80, 158.215.29.13:8080, 164.106.232.21:80, 164.106.232.21:8080, 172.67.133.228:443, 173.111.9.240:2222, 173.249.168.222:2222, 174.20.42.147:80, 174.20.42.147:8080, 176.160.114.102:80, 176.160.114.102:8080, 178.147.146.105:22, 180.87.141.81:80, 180.87.141.81:8080, 183.225.1.15:80, 183.225.1.15:8080, 183.230.141.152:80, 183.230.141.152:8080, 188.183.141.177:80, 188.183.141.177:8080, 189.23.75.243:80, 189.23.75.243:8080, 19.68.48.56:80, 19.68.48.56:8080, 196.232.250.104:80, 196.232.250.104:8080, 201.51.204.151:80, 201.51.204.151:8080, 201.72.93.203:80, 201.72.93.203:8080, 204.190.47.192:22, 205.49.62.199:80, 205.49.62.199:8080, 206.43.55.240:2222, 207.86.84.38:80, 207.86.84.38:8080, 22.108.193.170:22, 222.165.136.99:1234, 24.32.65.138:1234, 25.224.195.70:22, 35.3.62.130:80, 35.3.62.130:8080, 37.139.19.182:22, 41.89.100.9:80, 41.89.100.9:8080, 51.159.19.47:1234, 51.75.146.174:443, 61.25.156.211:80, 61.25.156.211:8080, 62.71.8.40:80, 62.71.8.40:8080, 63.165.23.201:80, 63.165.23.201:8080, 65.131.14.180:80, 65.131.14.180:8080, 67.20.145.173:80, 67.20.145.173:8080, 72.234.46.152:2222, 73.164.127.63:80, 73.164.127.63:8080, 74.76.251.50:22, 79.79.141.54:80, 79.79.141.54:8080, 80.38.152.178:80, 80.38.152.178:8080, 83.135.103.145:1234, 89.64.28.23:80, 89.64.28.23:8080, 97.226.116.106:80, 97.226.116.106:8080, 98.239.195.2:80 and 98.239.195.2:8080 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8081 and 8183 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: clickspeed.net.br, cosmote.net, hawaiiantel.net and poneytelecom.eu |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|