IP Address: 106.12.109.81Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
106.12.109.81​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

DNS Query Bulk Files Tampering Successful SSH Login Service Start SSH Brute Force Outgoing Connection Brute Force Superuser Operation Malicious File Download and Execute Download and Allow Execution Successful Login Package Install Service Stop

Connect Back Servers

_http._tcp.archive.ubuntu.com _http._tcp.security.ubuntu.com archive.ubuntu.com security.ubuntu.com

91.189.88.152 91.189.88.162 91.189.88.149 91.189.91.23

Basic Information

IP Address

106.12.109.81

Domain

-

ISP

CNISP-Union Technology (Beijing) Co.

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-11-04

Last seen in Guardicore Centra

2018-11-04

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List (Part of a Brute Force Attempt)

Successful SSH Login SSH Brute Force

A possibly malicious Package Install was detected 7 times

Package Install Superuser Operation

A possibly malicious Superuser Operation was detected 2 times

Package Install Superuser Operation

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com 2 times

DNS Query

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.security.ubuntu.com and security.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.162:80

Outgoing Connection

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.149:80 and 91.189.91.23:80

Outgoing Connection

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.152:80

Outgoing Connection

Service apt-daily-upgrade.timer was stopped

Service Stop

The file /usr/share/bug/apt/script was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/dpkg/methods/apt/install was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/dpkg/methods/apt/update was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/dpkg/methods/apt/setup was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/apt.systemd.daily was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/rsh was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/copy was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/file was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/gpgv was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/mirror was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/ftp was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/http was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/store was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/rred was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/cdrom was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/apt-helper was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-cache was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-mark was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-key was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-cdrom was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-config was downloaded and granted execution privileges

Download and Allow Execution

The file /etc/cron.daily/apt-compat.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

The file /etc/kernel/postinst.d/apt-auto-removal.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-get was downloaded and executed

Download and Execute

/etc/cron.daily/apt-compat.dpkg-new was scheduled to run

Service apt-daily-upgrade.timer was started

Service Start

Service apt-daily.timer was started

Service Start

Connection was closed due to timeout

/usr/lib/apt/solvers/dump was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_xenial-security_multiverse_i18n_Translation-en was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/usr/lib/apt/methods/http was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-mark was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/gpgv was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-ftparchive was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/x86_64-linux-gnu/libapt-pkg.so.5.0.0 was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Crypto Signatures and 000 Common Rules

Malicious File

/usr/bin/apt-sortpkgs was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/store was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/rsh was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/apt-helper was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-cache was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_xenial-security_multiverse_binary-amd64_Packages was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/usr/lib/apt/methods/cdrom was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/ftp was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-cdrom was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/solvers/apt was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-config was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-get was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/mirror was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/rred was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/copy was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/file was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/x86_64-linux-gnu/libapt-private.so.0.0.0 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-extracttemplates was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Process /usr/bin/dpkg performed bulk changes in {/usr/share/locale} on 86 files

Bulk Files Tampering

Process /usr/bin/dpkg performed bulk changes in {/} on 352 files

Bulk Files Tampering

Process /usr/lib/apt/methods/store performed bulk changes in {/var/lib/apt} on 33 files

Bulk Files Tampering

Associated Files

/usr/bin/apt-config

SHA256: 6bc90fb82d286595b314cce11122d96cdd44073fb75f64ed5913a5abad2a87f7

22576 bytes

/usr/lib/apt/methods/rred

SHA256: fab05e5dbda8006f719cdefc088e8e8474d38268940c12eada63a66d58e89afe

47224 bytes

/usr/lib/apt/methods/ftp

SHA256: 34660b2ccdd536c202db6d6b2eb2d2636296a1304b38574cc72b6176e02be24a

59608 bytes

/usr/lib/apt/methods/store

SHA256: cf591df3dbefc0d2e9f0e619535cb925b56052523477bf0e445f58fc13df2bfa

18552 bytes

/usr/bin/apt-get

SHA256: f723e5f112ef04543a61faa09376d00a7b2531950390d479e1b3e2bb4ccfcf87

43128 bytes

/usr/lib/apt/methods/rsh.dpkg-new

SHA256: 84ee046239da770df337994084a9fefb500940c85b6c0d94fec360d22f468f83

30856 bytes

/usr/lib/apt/methods/ftp.dpkg-new

SHA256: 34660b2ccdd536c202db6d6b2eb2d2636296a1304b38574cc72b6176e02be24a

59608 bytes

/usr/bin/apt-cdrom

SHA256: a273195802d34bd885c9f1a0c7fe8ded5959f533c10b3450f6aa707d57f55bdc

22656 bytes

/usr/bin/apt-cdrom.dpkg-new

SHA256: a273195802d34bd885c9f1a0c7fe8ded5959f533c10b3450f6aa707d57f55bdc

22656 bytes

/usr/lib/apt/methods/rred.dpkg-new

SHA256: fab05e5dbda8006f719cdefc088e8e8474d38268940c12eada63a66d58e89afe

47224 bytes

/usr/lib/apt/methods/copy.dpkg-new

SHA256: 79d5fc6f9a99d8d4c1d76aa102df88b75a41079caa7b5f2cf7c121e9271614e2

18552 bytes

/usr/bin/apt

SHA256: 6824acae2428685ddb5ce0915f74c1ce86d3d26c98705613c9fad41becbfc7a1

14376 bytes

/usr/lib/apt/methods/rsh

SHA256: 84ee046239da770df337994084a9fefb500940c85b6c0d94fec360d22f468f83

30856 bytes

/usr/bin/apt-get.dpkg-new

SHA256: f723e5f112ef04543a61faa09376d00a7b2531950390d479e1b3e2bb4ccfcf87

43128 bytes

/usr/lib/apt/methods/cdrom

SHA256: 25a7f91362669b690b625805b8114b7b96e521c96778cf2ed08ce781f544ef94

26744 bytes

/usr/lib/apt/methods/cdrom.dpkg-new

SHA256: 25a7f91362669b690b625805b8114b7b96e521c96778cf2ed08ce781f544ef94

26744 bytes

/usr/bin/apt.dpkg-new

SHA256: 6824acae2428685ddb5ce0915f74c1ce86d3d26c98705613c9fad41becbfc7a1

14376 bytes

/usr/lib/apt/methods/gpgv

SHA256: f7c3654b516a7dccebf3a390ec1742e6d0efabd3333d4f218865c6408762ff64

51320 bytes

/usr/bin/apt-config.dpkg-new

SHA256: 6bc90fb82d286595b314cce11122d96cdd44073fb75f64ed5913a5abad2a87f7

22576 bytes

/usr/lib/apt/methods/mirror

SHA256: 8f98b8589ed85fba6c150da2df0df52448fd0d44dcfd6c62d5e24ccf4444ae39

104640 bytes

/usr/lib/apt/methods/mirror.dpkg-new

SHA256: 8f98b8589ed85fba6c150da2df0df52448fd0d44dcfd6c62d5e24ccf4444ae39

104640 bytes

/usr/bin/apt-cache

SHA256: 1c192fc72776fe319e1825d976e6f0b4fdc82ec88e16dd9ac559bf2128da814d

80000 bytes

/usr/bin/apt-mark

SHA256: f47cbfaae8e3d1e389aa7314f895c9c2f41061d9d47b620d96f4082403f450f6

43136 bytes

/usr/lib/apt/apt-helper.dpkg-new

SHA256: d5ef7701b5d66c120dce30d423b9ede415feee8ff5d4087825e9c9aae4e2bdbb

26752 bytes

/usr/lib/apt/methods/file.dpkg-new

SHA256: ae8fd0b2c4aab1862eaa1d9f5cd4b00c79d6e0e6e89060336497caaa3e3a8442

18552 bytes

/usr/lib/apt/methods/http.dpkg-new

SHA256: 1aeff12101c320e12a293de86bc581998e7e4a6b12075a9e726f06be984867f2

80000 bytes

/usr/lib/apt/methods/store.dpkg-new

SHA256: cf591df3dbefc0d2e9f0e619535cb925b56052523477bf0e445f58fc13df2bfa

18552 bytes

/usr/lib/apt/methods/copy

SHA256: 79d5fc6f9a99d8d4c1d76aa102df88b75a41079caa7b5f2cf7c121e9271614e2

18552 bytes

/usr/bin/apt-mark.dpkg-new

SHA256: f47cbfaae8e3d1e389aa7314f895c9c2f41061d9d47b620d96f4082403f450f6

43136 bytes

/usr/lib/apt/methods/http

SHA256: 1aeff12101c320e12a293de86bc581998e7e4a6b12075a9e726f06be984867f2

80000 bytes

/usr/lib/apt/methods/file

SHA256: ae8fd0b2c4aab1862eaa1d9f5cd4b00c79d6e0e6e89060336497caaa3e3a8442

18552 bytes

/usr/lib/apt/apt-helper

SHA256: d5ef7701b5d66c120dce30d423b9ede415feee8ff5d4087825e9c9aae4e2bdbb

26752 bytes

/usr/bin/apt-cache.dpkg-new

SHA256: 1c192fc72776fe319e1825d976e6f0b4fdc82ec88e16dd9ac559bf2128da814d

80000 bytes

/usr/lib/apt/methods/gpgv.dpkg-new

SHA256: f7c3654b516a7dccebf3a390ec1742e6d0efabd3333d4f218865c6408762ff64

51320 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 106.12.109.81​Previously Malicious