IP Address: 104.248.210.168Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
104.248.210.168​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HTTP

Tags

IDS - Web Application Attack Inbound HTTP Request HTTP Download and Execute Download File Service Stop Download and Allow Execution Outgoing Connection

Associated Attack Servers

colocrossing.com

40.77.29.89 168.63.111.68 168.63.109.147 104.43.209.159 13.92.155.251 168.63.110.147 192.227.176.100

Basic Information

IP Address

104.248.210.168

Domain

-

ISP

Digital Ocean

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-06-16

Last seen in Guardicore Centra

2019-07-06

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: colocrossing.com:80 7 times

Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.mips was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.mpsl was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.sh4 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.x86 was downloaded and executed 15 times

Download and Execute

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/Execution.arm6 was downloaded and granted execution privileges

Download and Allow Execution

Process /tmp/Execution.i686 generated outgoing network traffic to: colocrossing.com:282

Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: colocrossing.com:80 8 times

Outgoing Connection

The file /tmp/Execution.ppc was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.m68k was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.sparc was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.arm4 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.arm5 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.arm7 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.ppc was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Execution.i586 was downloaded and executed 24 times

Download and Execute

The file /tmp/Execution.i686 was downloaded and executed 12 times

Download and Execute

Service iptables was stopped 4 times

Service Stop

Service firewalld was stopped 4 times

Service Stop

The file /bin/rm was downloaded and executed

Download and Execute

Connection was closed due to timeout

Associated Files

/tmp/bins.sh

SHA256: 928a13ba38c4be9d3816b5b42be536348cc387f63dcbd62186be4205f5cc343b

2296 bytes

/tmp/Execution.mips

SHA256: 772852bd3d35e88fcf8a58bbf0965f9069b2f39dbb8983bbe420cfea8a15b802

153082 bytes

/tmp/Execution.mpsl

SHA256: 245c06e08eb37a6e5776047d3393d5d58e703fd1851ec09c23eee2f0f0e80d04

153082 bytes

/tmp/Execution.sh4

SHA256: 40d5b0b380e42f422779b65a50b9e47cbfdb3e5a0eeab7e1555911a6b3b310f2

103404 bytes

/tmp/Execution.x86

SHA256: 43390cbdee522e613b13795f4c605bcbaa2b90b6e582453d5c89de69d1c065cc

108742 bytes

/tmp/Execution.arm6

SHA256: 5fdb43f4a53033e27565500633c8f0c5502389fe7d21509f4b2a0a472e63e0b8

138784 bytes

/tmp/Execution.i686

SHA256: 97729c2ea21e37a56551dd5fd93c15ed79fa0a33a57d68e7a2423451380bd2a9

96163 bytes

/tmp/Execution.ppc

SHA256: e2f9ffac705129f21e0b74c665ce9160f05b03013d332b53e4c23262181fc9fb

113139 bytes

/tmp/Execution.i586

SHA256: 8933bc1f74fb306355d6561c21ba555dd95e4336bee4981e90b22dc0a8294f63

95107 bytes

/tmp/Execution.m68k

SHA256: d7938001aafafc1c9ff7bdf94fb9bd5cce7788d7dc889a28fdd9a3d17676f570

113212 bytes

/tmp/Execution.sparc

SHA256: 5553ab12d1a1d9b20cdb62616294d21d88cb98eaca23492d275b4e88980de967

129363 bytes

/tmp/Execution.arm4

SHA256: 007e71b01c17a7cc114ee30b1704054290111e870d3865666bef4988f63cd137

124055 bytes

/tmp/Execution.arm5

SHA256: 010283c3d899662ebc0c8a047cbd8e7c52902483aa8b4efafefeb1fd9cd865c1

117477 bytes

/tmp/Execution.arm7

SHA256: 5a2f0c99a20dd3e4a71e1445bc4f16140d3ac9a0bd6fdb6f09134bb1764304f9

179633 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 104.248.210.168​Previously Malicious