IP Address: 122.115.236.140Previously Malicious
IP Address: 122.115.236.140Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Successful SSH Login New SSH Key Download and Execute SSH Brute Force Access Suspicious Domain Outgoing Connection SSH |
Associated Attack Servers |
asianet.co.in hybs-pro.net ident.me inet.co.th 23.205.106.185 34.117.59.81 36.33.26.113 42.194.136.16 45.114.141.248 47.105.189.147 49.7.64.61 49.12.234.183 49.234.82.239 54.163.241.223 67.205.166.143 81.68.169.240 81.70.7.25 103.47.242.21 104.18.114.97 106.52.24.237 106.53.229.220 106.53.247.34 106.55.234.96 107.170.192.159 111.231.115.187 118.144.137.141 119.45.164.197 120.77.80.111 122.51.92.67 122.51.124.200 122.114.154.211 123.56.183.170 123.206.42.92 |
IP Address |
122.115.236.140 |
|
Domain |
- |
|
ISP |
CNISP-Union Technology (Beijing) Co. |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-05-09 |
Last seen in Akamai Guardicore Segmentation |
2022-05-09 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ******* - Authentication policy: White List (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
The file /usr/bin/cbhvwq was downloaded and executed 42 times |
Download and Execute |
Process /usr/bin/cbhvwq generated outgoing network traffic to: 1.1.1.1:53, 103.47.242.21:41730, 104.18.114.97:80, 106.52.24.237:39965, 106.53.229.220:35983, 106.53.247.34:36666, 106.55.234.96:36115, 107.170.192.159:8000, 111.231.115.187:37211, 118.144.137.141:36099, 118.144.137.141:43096, 119.45.164.197:43273, 120.77.80.111:46476, 122.114.154.211:42122, 122.51.124.200:41124, 122.51.92.67:40960, 123.206.42.92:46110, 123.56.183.170:8628, 129.28.170.215:34850, 140.143.236.44:33405, 157.250.156.35:40567, 202.88.241.181:52440, 203.150.95.65:33297, 208.67.222.222:443, 219.141.184.182:49287, 23.205.106.185:80, 34.117.59.81:80, 36.33.26.113:40799, 42.194.136.16:35756, 45.114.141.248:47451, 47.105.189.147:35676, 49.12.234.183:80, 49.234.82.239:42336, 49.7.64.61:33650, 54.163.241.223:80, 67.205.166.143:33023, 81.68.169.240:35161 and 81.70.7.25:38655 |
Outgoing Connection |
Process /usr/bin/cbhvwq attempted to access suspicious domains: asianet.co.in, bjtelecom.net, cnuninet.net, googleusercontent.com, hybs-pro.net, ident.me and inet.co.th |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made 9 times |
New SSH Key |
/usr/bin/cbhvwq |
SHA256: ced904acf53b1ac2700aba5a959ca8de7513bcfbc316fa7084070b9fb9615f69 |
3180988 bytes |