IP Address: 103.105.12.48Malicious
IP Address: 103.105.12.48Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login Port 8080 Scan 5 Shell Commands Listening SSH SCP Outgoing Connection Superuser Operation Port 80 Scan Download File Port 1234 Scan |
Associated Attack Servers |
amazonaws.com codetel.net.do ovh.net veloxzone.com.br xmrpool.eu 1.1.1.1 34.229.7.53 35.170.191.119 42.194.138.246 49.55.58.41 51.75.146.174 54.38.188.38 66.6.216.63 66.249.65.98 81.68.166.127 81.68.238.98 98.45.49.117 103.9.134.247 103.233.123.123 104.21.25.86 131.161.227.31 172.67.133.228 187.126.146.4 190.166.46.227 222.117.95.174 |
IP Address |
103.105.12.48 |
|
Domain |
- |
|
ISP |
DaLi |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-07-17 |
Last seen in Akamai Guardicore Segmentation |
2023-04-11 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/nc.openbsd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /dev/shm/apache2 scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 1234 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /bin/bash scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.220.98.197:1234, 103.105.12.48:1234, 104.21.25.86:443, 105.161.222.67:80, 105.161.222.67:8080, 111.53.11.130:1234, 117.16.44.111:1234, 118.218.209.149:1234, 119.242.148.131:80, 119.242.148.131:8080, 120.200.103.141:80, 120.200.103.141:8080, 120.224.34.31:1234, 120.236.79.182:1234, 124.223.14.100:1234, 126.230.186.154:80, 126.230.186.154:8080, 136.163.133.33:80, 139.209.222.134:1234, 142.208.195.145:80, 142.208.195.145:8080, 143.98.196.203:80, 154.188.171.94:80, 154.188.171.94:8080, 157.56.89.173:80, 159.235.47.10:80, 159.235.47.10:8080, 161.70.98.32:1234, 167.128.12.31:80, 167.128.12.31:8080, 168.51.33.58:80, 168.51.33.58:8080, 172.67.133.228:443, 182.224.177.56:1234, 183.213.26.13:1234, 190.138.240.233:1234, 191.242.182.210:1234, 192.37.181.38:80, 192.37.181.38:8080, 200.1.189.211:80, 200.1.189.211:8080, 208.156.159.142:80, 209.216.177.238:1234, 210.99.20.194:1234, 211.162.184.120:1234, 214.46.152.116:80, 214.46.152.116:8080, 222.103.98.58:1234, 222.134.240.91:1234, 222.191.147.155:80, 222.191.147.155:8080, 223.171.91.127:1234, 242.251.36.244:80, 242.251.36.244:8080, 249.70.192.81:80, 249.70.192.81:8080, 4.11.147.131:80, 4.11.147.131:8080, 45.75.148.240:80, 45.75.148.240:8080, 46.43.232.95:80, 46.43.232.95:8080, 51.159.19.47:1234, 51.75.146.174:443, 54.239.98.133:80, 54.239.98.133:8080, 55.169.157.39:80, 55.169.157.39:8080, 58.229.125.66:1234, 61.175.244.24:80, 61.175.244.24:8080, 64.108.200.1:80, 64.108.200.1:8080, 64.227.132.175:1234, 67.225.95.138:80, 67.225.95.138:8080, 68.197.245.14:80, 68.197.245.14:8080, 76.236.74.163:80, 76.236.74.163:8080, 85.14.136.242:80, 85.14.136.242:8080, 86.133.233.66:1234, 95.150.164.245:80, 95.150.164.245:8080, 95.214.128.48:80 and 95.214.128.48:8080 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8085 and 8184 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/local/mysql/bin/mysqld started listening on ports: 3306 |
Listening |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 64cdfd97a3e22fde4245d682910b8c7b130ce93adda909f9cdd90f8c68d92fc1 |
2862704 bytes |