IP Address: 104.248.225.138Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
104.248.225.138​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HadoopYARN

Tags

HadoopYARN Malicious File IDS - Web Application Attack Download and Allow Execution Download and Execute Inbound HTTP Request

Associated Attack Servers

senpai

40.87.71.177 142.93.255.208 52.176.53.237 13.93.11.157 104.41.146.79 168.63.96.139 46.17.45.249 168.235.109.90

Basic Information

IP Address

104.248.225.138

Domain

-

ISP

Digital Ocean

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-23

Last seen in Guardicore Centra

2018-10-04

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

The file /tmp/update.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/ntpd was downloaded and granted execution privileges

Download and Allow Execution

/tmp/ntpd was identified as malicious by YARA according to rules: Antidebug Antivm, Suspicious Strings and 000 Common Rules

Malicious File

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/sshd was downloaded and granted execution privileges

Download and Allow Execution

/tmp/sshd was identified as malicious by YARA according to rules: Antidebug Antivm, Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/openssh was downloaded and granted execution privileges

Download and Allow Execution

/tmp/openssh was identified as malicious by YARA according to rules: Antidebug Antivm, Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/bash was downloaded and executed 7 times

Download and Execute

The file /tmp/tftp was downloaded and granted execution privileges

Download and Allow Execution

/tmp/tftp was identified as malicious by YARA according to rules: Antidebug Antivm, Suspicious Strings and 000 Common Rules

Malicious File

The file /tmp/wget was downloaded and executed 2 times

Download and Execute

Connection was closed due to user inactivity

Associated Files

/tmp/x86

SHA256: 48d28dbb5c7930fe83e1db5d94467c22e2d09b16853d30eef66070d950ff6054

57848 bytes

/tmp/ntpd

SHA256: 9a18857f5ab6a0a98e2b955dd93e85864f7404b550e715f22002bf839690a86d

188012 bytes

/tmp/openssh

SHA256: a038ef3dbec97a754ba9b7fa065254b619b22e5d319a4fbbf62f67c928fef3b8

133999 bytes

/tmp/tftp

SHA256: 9df38f097e14e0fa707eb65684d2fb351cc5f6d00733c9fcb8bd7349f544fc39

166987 bytes

/tmp/ntpd

SHA256: ec942af6b39b54f140e2c3d0c93a2c3a44aa05c2ea25fcf7d2451bdcaa756c91

188012 bytes

/tmp/sshd

SHA256: cd486905f10a49906edce9f1bc94233734aef9e9a6a587345bb0b455fa01e16c

188012 bytes

/tmp/openssh

SHA256: b8c22a2f0477b17f071d688dace88d50805ae7523d577f1bc4d0a2f9f58d32b3

133987 bytes

/tmp/tftp

SHA256: e56a8b7947d2e552e6aa86659fa89ae48a586a0e35ec7f69f3ec75fdc8bd2224

166979 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 104.248.225.138​Previously Malicious