IP Address: 120.205.9.22Previously Malicious
IP Address: 120.205.9.22Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
1.129.193.42 2.51.249.73 12.7.100.248 23.94.56.185 26.148.209.136 28.155.132.20 31.19.237.170 45.122.41.129 49.123.109.140 50.7.86.202 61.159.75.42 66.205.32.200 68.63.216.96 74.191.136.60 82.217.60.245 92.6.230.71 101.42.37.11 105.50.66.229 107.175.215.247 111.26.161.204 115.254.63.51 124.223.14.100 128.89.133.47 129.22.116.245 134.129.137.76 136.44.237.68 137.158.45.16 140.118.114.127 146.225.186.108 |
IP Address |
120.205.9.22 |
|
Domain |
- |
|
ISP |
China Mobile Guangdong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-05 |
Last seen in Akamai Guardicore Segmentation |
2022-04-14 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.96.181.186:80, 1.96.181.186:8080, 101.42.37.11:22, 104.21.25.86:443, 105.50.66.229:2222, 111.26.161.204:1234, 114.147.32.8:80, 114.147.32.8:8080, 115.130.104.84:80, 115.130.104.84:8080, 115.228.70.19:80, 115.228.70.19:8080, 12.7.100.248:22, 124.223.14.100:1234, 125.3.9.157:80, 125.3.9.157:8080, 128.89.133.47:22, 130.226.35.148:80, 130.226.35.148:8080, 133.105.125.101:80, 133.105.125.101:8080, 133.213.94.214:80, 133.213.94.214:8080, 135.136.99.230:80, 135.136.99.230:8080, 136.44.237.68:22, 137.158.45.16:22, 139.209.222.134:1234, 14.198.1.165:80, 14.198.1.165:8080, 142.173.48.31:80, 142.173.48.31:8080, 147.178.43.84:2222, 151.84.89.90:1234, 152.106.22.81:80, 152.106.22.81:8080, 158.113.11.214:80, 158.113.11.214:8080, 162.241.35.13:2222, 172.67.133.228:443, 174.59.98.38:80, 174.59.98.38:8080, 178.245.198.25:1234, 180.199.226.148:2222, 181.58.92.179:80, 181.58.92.179:8080, 182.101.37.191:80, 182.101.37.191:8080, 183.55.7.240:80, 183.55.7.240:8080, 191.108.48.62:80, 191.108.48.62:8080, 192.18.139.106:1234, 192.47.139.152:80, 192.47.139.152:8080, 206.196.27.206:80, 206.196.27.206:8080, 210.230.178.40:80, 210.230.178.40:8080, 216.69.35.241:80, 216.69.35.241:8080, 22.205.198.159:80, 22.205.198.159:8080, 24.189.72.182:80, 24.189.72.182:8080, 245.204.58.188:80, 245.204.58.188:8080, 250.84.141.64:2222, 26.148.209.136:2222, 31.19.237.170:1234, 49.123.109.140:2222, 51.13.217.10:80, 51.13.217.10:8080, 51.75.146.174:443, 54.131.51.211:80, 54.131.51.211:8080, 61.159.75.42:22, 66.205.32.200:2222, 68.63.216.96:22, 82.217.60.245:22, 86.93.91.151:80, 86.93.91.151:8080, 87.210.237.173:80, 87.210.237.173:8080, 89.185.47.224:80, 89.185.47.224:8080, 89.233.186.166:80, 89.233.186.166:8080, 98.247.35.108:80 and 98.247.35.108:8080 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8084 and 8185 |
Listening |
Process /dev/shm/apache2 attempted to access suspicious domains: abstractti.com.br, commufa.jp, jlccptt.net.cn and kabel-deutschland.de |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|