IP Address: 104.248.126.125Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
104.248.126.125​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Download File Inbound HTTP Request

Connect Back Servers

13.69.86.134 52.233.186.86 52.174.52.111 52.166.72.240 46.17.45.249 23.101.129.153 40.68.42.232 107.161.31.20 13.73.165.162 13.81.2.109 13.82.180.115 40.68.103.91 52.174.179.113 46.29.165.235 13.94.156.189 52.179.16.86 13.95.8.223 104.40.157.159 52.174.33.6 40.71.192.234 13.82.52.118 13.90.100.161 52.170.222.140

Basic Information

IP Address

104.248.126.125

Domain

-

ISP

Digital Ocean

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-16

Last seen in Guardicore Centra

2018-09-22

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 107.161.31.20:80 10 times

Outgoing Connection

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/tenshi.sh was downloaded and granted execution privileges

Download and Allow Execution

/tmp/tenshi.sh.1 was downloaded

Download File

The file /tmp/tenshimips was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/tenshimips was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

The file /tmp/tenshimipsel was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/tenshimipsel was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

/tmp/tenshish4.1 was downloaded

Download File

The file /tmp/tenshish4 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/tenshish4 was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

/tmp/tenshix86.1 was downloaded

Download File

The file /tmp/tenshix86 was downloaded and executed

Download and Execute

Connection was closed due to user inactivity

/tmp/tenshix86 was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

/tmp/tenshix86.1 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/tenshish4.1 was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

Associated Files

/tmp/gang

SHA256: f18f10e5a7cc328844e46194bd20d9eb0439d569db9b7e64a980aa04c1fc710e

22520 bytes

/tmp/tenshi.sh.1

SHA256: 77ee37b72950817174d0dd7ceda613fa17e444c8fe5dad7d09702cd7dac49dab

2458 bytes

/tmp/tenshimips

SHA256: 6222453c1c8e5c19425a6b75519210eae830e36ebcccc0d5882b9c14944593f3

161769 bytes

/tmp/tenshimipsel

SHA256: 8f15a0cb6c9f93c6edb94d9d2fad25e868dcb5714a0a13e2fa5b867c73e35349

161881 bytes

/tmp/tenshish4.1

SHA256: 5ce3868803c99b3d4e7f7c401fd90a2dd2b6f972bc46e8e3c05e2d56ee0a201d

112785 bytes

/tmp/tenshix86

SHA256: 84b18d71ec44fb7aefede8e97934e4e78f781a0f8d25d00ed1ff2a672374cb8f

116928 bytes

/tmp/tenshix86.1

SHA256: 6e90eabda7675c6969c0c09c6159099437052575f628f67b808135898bbedfcd

72763 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 104.248.126.125​Previously Malicious