IP Address: 109.166.131.255Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
109.166.131.255​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Successful SSH Login Malicious File Bulk Files Tampering Networking Operation 19 Shell Commands Download and Allow Execution Download File Access Suspicious Domain DNS Query Package Install Download Operation SSH HTTP Outgoing Connection Human Superuser Operation

Connect Back Servers

www.speedtest.net stosat-rstn-01.sys.comcast.net shentel.net sp1.winchesterwireless.net stosat-malt-01.sys.comcast.net edinburg.speedtest.shentel.net bigdaddy.wave2net.com comcast.net saminicu.ga

69.241.0.94 204.111.5.18 111.230.0.8 111.230.0.1 151.101.2.219 111.230.0.4 69.241.87.90 145.14.144.200 111.230.0.3 145.14.144.70 111.230.0.6 145.14.145.54 111.230.0.7 111.230.0.5 184.170.114.134 204.111.21.7 111.230.0.2

Basic Information

IP Address

109.166.131.255

Domain

-

ISP

Orange Romania

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-07-29

Last seen in Guardicore Centra

2018-07-29

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / *********** - Authentication policy: White List

Successful SSH Login

A possibly malicious Superuser Operation was detected

Download Operation Package Install Superuser Operation Networking Operation

A possibly malicious Package Install was detected 2 times

Download Operation Package Install Superuser Operation Networking Operation

A possibly malicious Download Operation was detected

Download Operation Package Install Superuser Operation Networking Operation

Process /usr/bin/wget attempted to access suspicious domains: saminicu.ga

DNS Query Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 145.14.144.200:80

Outgoing Connection

/var/tmp/IRC.zip was downloaded

Download File

The file /var/tmp/IRC/Changes was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Changes.old was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Changes.older was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Config was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Donation was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/INSTALL.REMOTEINC was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/LICENSE was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Makefile.in was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/README was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/Unreal.nfo was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/autogen.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/badwords.channel.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/badwords.message.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/badwords.quit.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/config.guess was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/config.sub was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/configure was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/configure.ac was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/createchangelog was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/curl-ca-bundle.crt was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/curlinstall was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/dccallow.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/help.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/m_template.c was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/makefile.win32 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/modulize was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/newnet was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/spamfilter.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/unreal.in was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/unrealircd.conf was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/IRC/update was downloaded and granted execution privileges

Download and Allow Execution

A possibly malicious Networking Operation was detected

Download Operation Package Install Superuser Operation Networking Operation

/var/tmp/IRC/dccallow.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/configure.ac was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/help.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/IRC/Changes.old was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/spamfilter.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/unrealircd.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/include/dynconf.h was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/include/msg.h was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/var/tmp/IRC/include/struct.h was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/IRC/include/ircsprintf.h was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/include/threads.h was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/var/tmp/IRC/configure was identified as malicious by YARA according to rules: Malw Miscelanea Linux and Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_admin.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_stats.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_quit.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_nick.c was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_tkl.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_join.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_message.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_mode.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_pingpong.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules/m_cap.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/support.c was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation and Crypto Signatures

Malicious File

/var/tmp/IRC/src/s_serv.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/s_conf.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/ircd.c was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/IRC/src/modules.c was identified as malicious by YARA according to rules: Malw Miscelanea Linux

Malicious File

/var/tmp/IRC/src/packet.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/parse.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/win32/unrealinst.iss was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/var/tmp/IRC/src/win32/debug.c was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/var/tmp/IRC/src/s_misc.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/socket.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/src/s_bsd.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/help.de.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/IRC/doc/unreal32docs.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/example.hu.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/example.es.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/unreal32docs.tr.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/help.fr.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/IRC/doc/unreal32docs.fr.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/example.tr.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/example.de.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/unreal32docs.es.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/unreal32docs.hu.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/unreal32docs.ru.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/example.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/example.fr.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/technical/token.txt was identified as malicious by YARA according to rules: Antidebug Antivm

Malicious File

/var/tmp/IRC/doc/technical/serverprotocol.html was identified as malicious by YARA according to rules: Javascript Exploit And Obfuscation and Antidebug Antivm

Malicious File

/var/tmp/IRC/doc/help.tr.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/IRC/doc/help.ru.conf was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/IRC/doc/example.ru.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/example.nl.conf was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/doc/unreal32docs.de.html was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/Changes.older was identified as malicious by YARA according to rules: Antidebug Antivm and Suspicious Strings

Malicious File

/var/tmp/IRC/extras/malloc.c was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/tmp/IRC/autoconf/m4/unreal.m4 was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

Connection was closed due to timeout

Process /usr/bin/unzip performed bulk changes in {/var} on 352 files

Bulk Files Tampering

Associated Files

/var/tmp/x/x

SHA256: 863fea751e0d533ee1900288b266676e06335995623750ed0e710a8790628420

68 bytes

/var/tmp/f/a

SHA256: e533fddcdfcb02761be082319836c4f24813c6017f3b755d22bbde141deba53e

53 bytes

/var/tmp/. /krt/krt

SHA256: 1225cc15a71886e5b11fca3dc3b4c4bcde39f4c7c9fbce6bad5e4d3ceee21b3a

899800 bytes

/var/tmp/x/vuln

SHA256: 65be48b3773362a2447104a064019f5d71303e26891fdf1950166f6578098769

512 bytes

/tmp/ntest.py

SHA256: a5509010c603914ce066f0faf9947432b723f815ae7f7066b469bdefb8c73327

24827 bytes

/var/tmp/IRC/autogen.sh

SHA256: 351d0e9e6d1bb1857b8ca5558ff19510e356ee6f138f442a4e0955382a97f3d1

123 bytes

/var/tmp/IRC/config.sub

SHA256: 4d3fec6c8e711daa09775fe976512354aef9f0f8ea0deeeaea4d3b1916f705f7

27846 bytes

/var/tmp/IRC/createchangelog

SHA256: 53368243908f04c836b60e3acaf6575d25ddaec4e71c6ac3e963e35b6693b45d

543 bytes

/var/tmp/IRC/curlinstall

SHA256: 7980e81f037a080b8b1f76c20db5cd583a78a41a4b1b6b9709b0025431b7c7a3

1997 bytes

/var/tmp/IRC.zip

SHA256: 6e48bd874010229a23b82c860d670f35c26b114534abd7969ed2c540e145f6f1

3738217 bytes

/var/tmp/IRC/configure

SHA256: 9b3ae309c40d5907604e5eeda956270f58cbd758cbe6e9a339aaae45cbdd93a3

232067 bytes

/var/tmp/IRC/m_template.c

SHA256: 52f775b8f6b8c4d63bc4c1948ba0deb61bd72b6513cc3f2d30b36dfa01b897f9

1906 bytes

/var/tmp/IRC/Config

SHA256: 6517b6e251c1b94e1f34ff2552b004ca61f61ce256acec3b3a7ed834a32b5e42

24830 bytes

/var/tmp/IRC/configure.ac

SHA256: 2eed36f57676a298f261d36335241ab053f50957880ac07c9bfd130ddd38360f

25463 bytes

/var/tmp/IRC/modulize

SHA256: d4dfffc7af677db0e12cc4ea4225f2a045f3ec08918e51763dcfafaf872e5ad6

630 bytes

/root/boty.txt

SHA256: 2cb7452a5d13797a8013092f4910a15d339adbd8d810fdedf6e2b9bbc83cb390

38097 bytes

/tmp/fscand.zip

SHA256: 24cfa677537ef9394027ebc717372000e638097942d9ea830619fabbf94de2f6

914707 bytes

/var/tmp/IRC/config.guess

SHA256: aacf18f8ae8b137adbe9d290910f0bd0a0447204b10d4a6884585ea8ad7e9479

39027 bytes

/var/tmp/IRC/newnet

SHA256: 72ba2fb0b3046d12669e250938b893b3b18e09eb74fac3065e1d1338b2cf7266

547 bytes

/var/tmp/IRC/unreal.in

SHA256: 47ce95dcb8bb36cacadf9195db2babfbdab58da695d6e6bff2a2208d8f5340ac

4549 bytes

/var/tmp/IRC/unrealircd.conf

SHA256: b2657a6303f73285b1624b6c1761a837e68b2f1faa9c2e53a2bfefa7dd5bf47e

8634 bytes

/var/tmp/IRC/update

SHA256: 590d6d47f102982a88d21c39219b05d2875a6cabb1dadcb3fd57be8b5e4ed00f

956 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 109.166.131.255​Previously Malicious