IP Address: 103.91.211.242Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
103.91.211.242​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Successful SSH Login HTTP Service Creation Outgoing Connection Log Tampering Download Operation Package Install Download and Allow Execution IDS - A Network Trojan was detected Successful Login Download and Execute Service Stop

Connect Back Servers

106.14.42.35

Basic Information

IP Address

103.91.211.242

Domain

-

ISP

Shandong eshinton Network Technology Co.

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-02-13

Last seen in Guardicore Centra

2019-03-02

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List

Successful SSH Login

Service iptables was stopped 2 times

Service Stop

A possibly malicious Package Install was detected

Package Install Download Operation

A possibly malicious Download Operation was detected 2 times

Package Install Download Operation

Process /usr/bin/wget generated outgoing network traffic to: 106.14.42.35:9789 2 times

Outgoing Connection

The file /etc/libstdci was downloaded and executed 181 times

Download and Execute

The file /etc/ceurnadi was downloaded and granted execution privileges

Download and Allow Execution

Service K01libstdci was created

Service Creation

Service S02libstdci was created

Service Creation

The file /etc/rc.local was downloaded and granted execution privileges 2 times

Download and Allow Execution

History File Tampering detected from /bin/bash 2 times

Log Tampering

Log File Tampering detected from /bin/bash on the following logs: /var/log/wtmp

Log Tampering

IDS detected A Network Trojan was detected : DNS request for Monero mining pool

IDS - A Network Trojan was detected

Connection was closed due to timeout

Associated Files

/etc/libstdci

SHA256: 6f4d2a05411930fed3f156b133e942c98fca3fb6e39bcd42c8f2ed212037565e

1,166,228 bytes

/etc/ceurnadi

SHA256: 28df5b54a1618038a29340d88f32c398da4e19c8ea197258cc4a3d210c95159d

2,057 bytes

/etc/rc.local

SHA256: 2f6c2c68348aa2ebd0b2b7d60c17a222d6f3c2433b45ad4a76f1820fc027c435

253 bytes

/etc/sedr7W0b6

SHA256: 2f6c2c68348aa2ebd0b2b7d60c17a222d6f3c2433b45ad4a76f1820fc027c435

253 bytes

/etc/sedTU0eo5

SHA256: 74df9dbb0e2d9d9aa32c29b2c11a22617fccc0084356c9b1cc66ebedcd11ef26

271 bytes

/etc/rc.local

SHA256: 74df9dbb0e2d9d9aa32c29b2c11a22617fccc0084356c9b1cc66ebedcd11ef26

271 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 103.91.211.242​Previously Malicious