IP Address: 103.51.109.217Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
103.51.109.217​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH SCP

Tags

SFTP Read Password Secrets SSH Kill Process Listening User Created 10 Shell Commands Malicious File DNS Query Download File Superuser Operation Download and Allow Execution Download and Execute Service Creation Log Tampering Access Suspicious Domain Successful SSH Login Outgoing Connection

Associated Attack Servers

krypt.com ip-94-23-206.eu ip-37-187-154.eu fr.minexmr.com ip-46-105-103.eu

94.23.206.130 37.187.154.79 211.155.114.75 103.233.83.23 103.233.82.32 46.105.103.169

Basic Information

IP Address

103.51.109.217

Domain

-

ISP

Tisp Limited

Country

Bangladesh

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-07-08

Last seen in Guardicore Centra

2020-03-16

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ***** - Authentication policy: White List

Successful SSH Login

User butter was created with the password *********

User Created

A possibly malicious Superuser Operation was detected 4 times

Superuser Operation Kill Process

A possibly malicious Kill Process was detected 2 times

Superuser Operation Kill Process

Log File Tampering detected from /tmp/x86_64 on the following logs: /var/log/lastlog and /var/log/wtmp

Log Tampering

Process /tmp/x86_64 started listening on ports: 47292

Listening

Process /tmp/x86_64 generated outgoing network traffic to: 103.233.82.32:80 and 103.233.83.23:27

Outgoing Connection

Service samba was created

Service Creation

Service S99samba was created

Service Creation

The file /root/linux-gnu was downloaded and executed 4 times

Download and Execute

Process /root/linux-gnu started listening on ports: 37373

Listening

The file /tmp/seconfig/xorgg was downloaded and executed 6 times

Download and Execute

Process /tmp/seconfig/xorgg attempted to access domains: fr.minexmr.com

DNS Query

Process /tmp/seconfig/xorgg generated outgoing network traffic to: 94.23.206.130:7777

Outgoing Connection

Process /tmp/seconfig/xorgg attempted to access suspicious domains: ip-94-23-206.eu

DNS Query Outgoing Connection Access Suspicious Domain

The file /tmp/seconfig/samba was downloaded and executed 4 times

Download and Execute

Process /tmp/seconfig/samba started listening on ports: 37373

Listening

/root/linux-gnu was identified as malicious by YARA according to rules: Crypto Signatures and 000 Common Rules

Malicious File

Connection was closed due to timeout

/tmp/seconfig/xorgg was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Malw Xmrig Miner, Crypto Signatures and 000 Common Rules

Malicious File

Associated Files

/tmp/80

SHA256: 104c8d9c8ea5dcf68986a80e17fdac95e7d1cfe1f2ce7e5d021ed4d15d2811a7

625806 bytes

/tmp/80

SHA256: a29f60fa12ddefba9694c2e5432ee19415dfcc4899f754a6f6f243029de1f4dd

20480 bytes

/tmp/80

SHA256: 3d2da1895dca6582c9ee343dfd1f771b83b86bb729e64d51dce68e7e05879d24

16384 bytes

/tmp/x86_64

SHA256: 812269399bd03d99d1c0253371fb7cf0e8b55876c397fda83903a695081c0444

276480 bytes

/tmp/x86_64

SHA256: 784647e492785d6f437d79ef2e3be9f294f4d39b37e3b86496df37186f49d3da

266240 bytes

/tmp/x86_64

SHA256: d730c78946277639f9655801653f09bc5193d71652130d83341f70e8745cbacf

81920 bytes

/tmp/x86_64

SHA256: f50eae2f3ff71a6556bbc8bcd5b3113511f77fb8ff82ea4eca63af2ce3babb30

4125088 bytes

/tmp/seconfig/xorgg

SHA256: c40a6fac6a7b43fd74aca488d4ec8f9a1a7cc1ac8ef211c131ff56a4e8dd665b

2458144 bytes

/tmp/x86_64

SHA256: 3555ee8275836151011f4eb0f1c54053c17c883f22aed0ee3bdad0b0213d4dfc

4120992 bytes

/tmp/seconfig/xorgg

SHA256: bd3b44d8c4aaf580576a80ca40845f87553ecc88c063c7cc897c531a82011bfa

1922464 bytes

/tmp/x86_64

SHA256: 51944f895207232966b6f594feeafdb2b1561f68f832af5c00d7d082bf10007e

1965120 bytes

/tmp/x86_64

SHA256: a2c8c26972a9f739127429705db494b369192de6fc44cd4175b00708a6cf5d05

3304928 bytes

/tmp/x86_64

SHA256: 0e0bf4a089e7199dced4ec52e62b029b8df69f843cd2bd8b85da46762d328bbd

4092192 bytes

/tmp/seconfig/samba

SHA256: c75e40cea99ab863750665187bf1c3a8393c7fef3e2bc67c5e8d2d1085c0b0b2

4092192 bytes

/tmp/seconfig/samba

SHA256: c9153e2b15def39420e88a058a15f3bc0fde6e6a3bd53ced4a6a6f644b51a935

4125088 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 103.51.109.217​Previously Malicious