IP Address: 119.91.63.58Previously Malicious
IP Address: 119.91.63.58Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection Access Suspicious Domain Listening |
Associated Attack Servers |
13.87.67.199 16.128.6.237 36.83.122.148 40.59.174.18 44.238.52.93 45.11.19.163 49.233.159.222 50.66.15.85 66.249.71.60 67.222.250.30 72.122.205.219 80.55.174.62 88.81.100.162 101.43.160.19 104.114.227.154 106.58.89.217 111.53.11.133 112.71.44.37 116.225.43.137 125.129.226.135 134.208.37.41 139.59.135.142 166.244.185.126 191.116.113.49 199.141.60.231 220.70.42.125 221.251.99.45 248.44.123.219 253.67.76.240 |
IP Address |
119.91.63.58 |
|
Domain |
- |
|
ISP |
HuaBei Oil Communication CO. Information Center |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-17 |
Last seen in Akamai Guardicore Segmentation |
2022-09-02 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.1.1.1:443, 1.220.98.197:1234, 100.182.199.106:80, 100.182.199.106:8080, 101.43.160.19:1234, 106.58.89.217:22, 111.53.11.133:1234, 112.71.44.37:2222, 115.49.200.193:80, 115.49.200.193:8080, 117.203.52.39:80, 117.203.52.39:8080, 118.109.69.53:80, 118.109.69.53:8080, 119.1.168.221:80, 119.1.168.221:8080, 12.143.3.6:80, 12.143.3.6:8080, 125.93.13.51:80, 125.93.13.51:8080, 126.72.163.165:80, 126.72.163.165:8080, 134.208.37.41:22, 139.59.135.142:1234, 145.149.88.162:80, 145.149.88.162:8080, 155.6.70.52:80, 155.6.70.52:8080, 16.128.6.237:2222, 166.244.185.126:22, 170.77.26.103:80, 170.77.26.103:8080, 189.60.203.151:80, 189.60.203.151:8080, 19.137.119.229:80, 19.137.119.229:8080, 190.23.152.123:80, 190.23.152.123:8080, 191.116.113.49:22, 199.141.60.231:2222, 20.28.115.158:80, 20.28.115.158:8080, 202.110.82.181:80, 202.110.82.181:8080, 204.27.67.95:80, 204.27.67.95:8080, 220.70.42.125:2222, 221.251.99.45:2222, 240.57.47.26:80, 240.57.47.26:8080, 248.12.219.247:80, 248.12.219.247:8080, 248.44.123.219:2222, 253.67.76.240:22, 27.178.151.4:80, 27.178.151.4:8080, 27.90.15.166:80, 27.90.15.166:8080, 29.158.70.215:80, 29.158.70.215:8080, 36.83.122.148:2222, 39.251.207.243:80, 39.251.207.243:8080, 40.59.174.18:22, 42.128.19.211:80, 42.128.19.211:8080, 45.11.19.163:1234, 47.48.245.27:80, 47.48.245.27:8080, 49.233.159.222:1234, 50.66.15.85:2222, 59.25.220.218:80, 59.25.220.218:8080, 63.13.78.29:80, 63.13.78.29:8080, 67.100.208.232:80, 67.100.208.232:8080, 67.222.250.30:22, 72.122.205.219:2222, 73.232.128.184:80, 73.232.128.184:8080, 74.199.97.183:80, 74.199.97.183:8080, 80.55.174.62:22, 88.81.100.162:1234, 9.178.198.173:80, 9.178.198.173:8080, 95.44.51.108:80 and 95.44.51.108:8080 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8081 and 8189 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 attempted to access suspicious domains: aniar.ie, eonet.ne.jp, myvzw.com, ndhu.edu.tw and tpnet.pl |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|