IP Address: 106.54.0.80Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
106.54.0.80​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

SSH

Tags

64 Shell Commands Read Password Secrets Log Tampering SSH Outgoing Connection DNS Query Kill Process Service Start SSH Brute Force Package Manager Configuration Superuser Operation System File Modification Scheduled Task Creation Service Configuration Download and Execute Package Install Download and Allow Execution Service Stop Executable File Modification Bulk Files Tampering Successful SSH Login

Associated Attack Servers

unifiedlayer.com archive.ubuntu.com haleyorapower.co.id opendns.com colocrossing.com amazonaws.com vultr.com linode.com canonical.com 163data.com.cn akamaitechnologies.com icanhazip.com whatismyipaddress.com hi-tech.com.eg security.ubuntu.com hinet.net ident.me one.one comcast.net

175.24.81.38 23.55.221.146 23.35.68.11 111.229.219.168 47.95.196.235 111.231.84.107 157.250.156.48 13.71.5.54 120.220.250.139 120.92.104.149 106.55.154.242 134.175.197.158 103.106.83.7 139.155.17.53 123.178.246.50 103.140.127.175 50.19.206.143 49.234.122.134 39.108.215.9 152.136.42.90 49.235.86.47 47.111.5.229 120.77.23.25 129.226.187.176 117.73.11.131 47.89.15.233 122.51.99.234 111.229.242.150 123.57.42.17 47.100.237.81

Basic Information

IP Address

106.54.0.80

Domain

-

ISP

KNET Techonlogy (BeiJing) Co.,Ltd.

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-10-06

Last seen in Guardicore Centra

2020-08-03

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List (Part of a Brute Force Attempt)

Successful SSH Login SSH Brute Force

A possibly malicious Package Install was detected 2 times

Superuser Operation Package Install Kill Process

A possibly malicious Superuser Operation was detected 2 times

Superuser Operation Package Install Kill Process

A possibly malicious Package Install was detected 14 times

Superuser Operation Package Install Kill Process

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.security.ubuntu.com and security.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com 2 times

DNS Query

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.174:80

Outgoing Connection

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.24:80

Outgoing Connection

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.174:80

Outgoing Connection

Service apt-daily-upgrade.timer was stopped

Service Stop

The file /usr/bin/apt-key was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-cdrom was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-mark was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-config was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-cache was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/dpkg/methods/apt/update was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/dpkg/methods/apt/setup was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/dpkg/methods/apt/install was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/apt.systemd.daily was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/apt-helper was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/rsh was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/ftp was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/file was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/http was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/gpgv was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/rred was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/mirror was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/store was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/cdrom was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/copy was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/bug/apt/script was downloaded and granted execution privileges

Download and Allow Execution

The file /etc/cron.daily/apt-compat.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

The file /etc/kernel/postinst.d/apt-auto-removal.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

The file /etc/apt/auth.conf.d was downloaded and granted execution privileges

Download and Allow Execution

System file /lib/systemd/system/apt-daily.service was modified

System File Modification

System file /lib/systemd/system/apt-daily-upgrade.timer was modified

System File Modification

System file /lib/systemd/system/apt-daily.timer was modified

System File Modification

System file /lib/systemd/system/apt-daily-upgrade.service was modified

System File Modification

Executable file /usr/bin/apt-key was modified

Executable File Modification

Executable file /usr/bin/apt-cdrom was modified

Executable File Modification

Executable file /usr/bin/apt-mark was modified

Executable File Modification

Executable file /usr/bin/apt-get was modified

Executable File Modification

Executable file /usr/bin/apt-config was modified

Executable File Modification

Executable file /usr/bin/apt was modified

Executable File Modification

Executable file /usr/bin/apt-cache was modified

Executable File Modification

The file /usr/bin/apt-get was downloaded and executed 34 times

Download and Execute

/etc/cron.daily/apt-compat.dpkg-new was scheduled to run

Service apt-daily-upgrade.timer was started

Service Start

Service apt-daily.timer was started

Service Start

The file /usr/bin/apt-sortpkgs was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-extracttemplates was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-ftparchive was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/solvers/apt was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/solvers/dump was downloaded and granted execution privileges

Download and Allow Execution

Executable file /usr/bin/apt-sortpkgs was modified

Executable File Modification

Executable file /usr/bin/apt-extracttemplates was modified

Executable File Modification

Executable file /usr/bin/apt-ftparchive was modified

Executable File Modification

A possibly malicious Kill Process was detected 4 times

Superuser Operation Package Install Kill Process

A possibly malicious Package Install was detected 6 times

Superuser Operation Package Install Kill Process

A possibly malicious Superuser Operation was detected 4 times

Superuser Operation Package Install Kill Process

History File Tampering detected from /bin/bash

Log Tampering

Connection was closed due to timeout

Process /usr/lib/apt/methods/store performed bulk changes in {/var/lib/apt} on 49 files

Bulk Files Tampering

Process /usr/bin/dpkg performed bulk changes in {/usr/share/locale} on 86 files

Bulk Files Tampering

Process /usr/bin/dpkg performed bulk changes in {/} on 371 files

Bulk Files Tampering

Process /usr/bin/dpkg performed bulk changes in {/usr/share/man} on 52 files

Bulk Files Tampering

Associated Files

/usr/lib/apt/methods/http.dpkg-new

SHA256: 861cd49bade3a5042ba0e5a9a4b29614a002df3ed7a1ee1cc69603b2a46e181b

84096 bytes

/etc/cron.daily/apt-compat.dpkg-new

SHA256: 8eeae3a9df22621d51062e4dadfc5c63b49732b38a37b5d4e52c99c2237e5767

1474 bytes

/etc/kernel/postinst.d/apt-auto-removal.dpkg-new

SHA256: fd20d97bd700dc193bf6e3189b5a854d80a828a132af3dfcac0468c571e9eaaf

2713 bytes

/usr/lib/apt/solvers/dump.dpkg-new

SHA256: 862eadca3c04a24c777634dc5b10fa977ed1881dde1a71d27c1a843de0c6cbbb

14384 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 106.54.0.80​Malicious