IP Address: 121.201.61.205Previously Malicious
IP Address: 121.201.61.205Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Port 22 Scan Access Suspicious Domain SSH Download and Allow Execution 6 Shell Commands Successful SSH Login Listening Port 2222 Scan Download and Execute Outgoing Connection |
Associated Attack Servers |
121.201.61.205 albacom.net cable.net.co jalawave.net.id orange-business.com ss-cloudfront.co thenetworkfactory.nl ufcg.edu.br 5.26.254.49 12.222.12.26 45.32.128.117 47.91.87.67 47.240.81.242 50.200.136.114 54.91.250.89 60.253.116.46 61.43.208.154 62.150.121.251 71.62.129.30 73.254.114.94 93.117.225.197 100.0.197.18 100.2.131.143 103.127.80.9 104.47.156.119 104.244.76.33 106.75.7.111 118.34.230.4 121.156.203.3 122.51.48.52 123.30.149.92 123.57.138.150 124.119.89.249 141.241.27.254 148.70.242.55 150.165.60.105 161.139.68.245 |
IP Address |
121.201.61.205 |
|
Domain |
- |
|
ISP |
CNISP-Union Technology (Beijing) Co. |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-05-09 |
Last seen in Akamai Guardicore Segmentation |
2021-01-28 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password |
Successful SSH Login |
The file /root/ifconfig was downloaded and executed 7 times |
Download and Execute |
The file /root/nginx was downloaded and executed 153 times |
Download and Execute |
Process /root/nginx scanned port 22 on 44 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /root/nginx scanned port 2222 on 44 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /root/nginx scanned port 22 on 40 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /root/nginx started listening on ports: 1234 |
Listening |
Process /root/nginx generated outgoing network traffic to: 100.0.197.18:1234, 101.25.53.250:2222, 103.127.80.9:1234, 105.155.38.238:22, 105.155.38.238:2222, 109.20.164.233:2222, 117.163.166.37:22, 117.163.166.37:2222, 119.219.93.196:22, 119.219.93.196:2222, 12.13.68.235:22, 12.13.68.235:2222, 121.156.203.3:1234, 121.201.61.205:1234, 122.123.209.96:2222, 124.232.22.178:2222, 13.131.229.218:22, 13.79.183.251:22, 132.167.28.67:22, 144.12.94.186:22, 144.12.94.186:2222, 15.73.221.102:22, 15.73.221.102:2222, 157.120.148.209:22, 159.7.171.105:22, 159.7.171.105:2222, 161.139.68.245:1234, 180.133.213.232:22, 181.215.155.40:22, 181.215.155.40:2222, 189.136.99.92:2222, 192.192.166.235:22, 194.112.20.225:22, 194.112.20.225:2222, 198.45.158.169:22, 2.19.175.175:22, 2.41.169.168:22, 2.41.169.168:2222, 200.60.107.30:22, 200.79.116.56:22, 200.79.116.56:2222, 200.97.171.57:2222, 208.167.15.122:22, 208.167.15.122:2222, 218.146.128.93:1234, 22.148.195.174:2222, 22.180.71.166:22, 222.126.116.208:22, 222.126.116.208:2222, 23.230.1.118:22, 249.127.14.49:22, 249.127.14.49:2222, 25.134.180.212:22, 25.134.180.212:2222, 29.195.28.168:2222, 29.32.222.94:22, 29.85.35.83:22, 34.203.1.132:22, 34.203.1.132:2222, 43.59.120.38:22, 43.59.120.38:2222, 46.229.38.57:2222, 46.86.94.89:2222, 56.1.173.12:2222, 59.53.34.133:22, 59.53.34.133:2222, 6.87.179.122:22, 6.87.179.122:2222, 60.235.48.162:22, 60.235.48.162:2222, 61.170.136.104:22, 61.170.136.104:2222, 68.251.170.99:22, 68.251.170.99:2222, 7.188.220.185:22, 7.188.220.185:2222, 71.62.129.30:1234, 73.181.220.109:22, 75.225.145.173:22, 75.225.145.173:2222, 79.162.218.140:2222, 81.179.140.241:22, 82.229.247.172:22, 82.229.247.172:2222, 85.82.222.168:22, 85.82.222.168:2222, 87.38.46.51:22, 87.38.46.51:2222, 94.124.50.210:22 and 94.124.50.210:2222 |
Outgoing Connection |
Process /root/nginx attempted to access suspicious domains: 121.201.61.205 |
Access Suspicious Domain Outgoing Connection |
Process /root/nginx scanned port 2222 on 40 IP Addresses |
Port 22 Scan Port 2222 Scan |
The file /usr/bin/free was downloaded and executed 2 times |
Download and Execute |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 85 times |
Download and Execute |
The file /root/php-fpm was downloaded and granted execution privileges |
Download and Allow Execution |
The file /root/php-fpm was downloaded and executed 30 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 32 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 6 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 8 times |
Download and Execute |
Connection was closed due to timeout |
|