IP Address: 106.54.0.80Previously Malicious
IP Address: 106.54.0.80Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Access Suspicious Domain SSH New SSH Key SSH Brute Force Successful SSH Login Download and Execute Outgoing Connection |
Associated Attack Servers |
13.71.5.54 14.29.196.126 18.235.112.207 23.55.220.56 23.55.220.59 23.55.221.146 34.236.80.17 39.96.23.91 39.98.201.31 39.104.166.233 39.105.175.226 39.105.187.175 39.105.208.94 39.107.235.247 39.108.215.9 47.75.42.164 47.94.105.126 47.95.196.235 47.97.207.84 47.100.57.138 47.100.237.81 47.102.100.34 47.104.252.215 47.105.244.235 47.111.5.229 49.232.99.199 49.232.163.176 49.233.17.49 49.233.58.232 49.233.64.4 |
IP Address |
106.54.0.80 |
|
Domain |
- |
|
ISP |
KNET Techonlogy (BeiJing) Co.,Ltd. |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2019-10-06 |
Last seen in Akamai Guardicore Segmentation |
2020-08-03 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / *********** - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
The file /usr/bin/rlhcfc was downloaded and executed 44 times |
Download and Execute |
Process /usr/bin/rlhcfc generated outgoing network traffic to: 1.1.1.1:53, 101.132.226.44:39030, 101.226.197.196:46448, 101.66.251.68:33469, 106.52.129.44:45494, 106.52.133.125:46139, 106.54.0.80:34630, 106.55.43.74:37905, 107.23.193.11:80, 111.229.219.168:36111, 111.229.41.136:38038, 111.229.73.125:33500, 111.230.171.193:39047, 111.231.84.107:36662, 111.39.166.233:42786, 115.159.52.39:37474, 116.202.244.153:80, 118.24.4.240:42677, 120.77.57.50:35523, 121.40.102.119:39430, 122.51.255.138:44441, 122.51.68.129:32973, 122.51.68.129:41515, 123.207.69.188:45044, 123.57.77.237:38356, 125.78.15.36:34801, 129.226.57.194:34763, 176.58.123.25:80, 208.67.222.222:443, 216.239.32.21:80, 216.239.34.21:80, 218.29.54.188:39950, 23.55.220.56:80, 39.107.235.247:37505, 39.108.215.9:41985, 39.96.23.91:38891, 47.100.57.138:37575, 47.102.100.34:45011, 47.75.42.164:34959, 49.233.189.198:32949, 49.233.64.4:46615, 49.234.188.202:46118, 60.205.202.65:44634, 60.248.152.189:60199, 66.171.248.178:80 and 68.183.186.25:8000 |
Outgoing Connection |
Process /usr/bin/rlhcfc attempted to access suspicious domains: adsl, icanhazip.com, ident.me and one.one |
Access Suspicious Domain Outgoing Connection |
The file /usr/bin/chattr was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made 25 times |
New SSH Key |