IP Address: 123.13.152.56Previously Malicious
IP Address: 123.13.152.56Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
|
Role |
Attacker, Scanner |
|
Services Targeted |
SCP SSH |
|
Tags |
SSH Superuser Operation Successful SSH Login Download and Execute Download and Allow Execution |
|
Associated Attack Servers |
6.12.95.186 13.23.207.165 13.117.217.221 32.84.97.249 42.194.138.246 45.142.122.215 55.229.102.168 77.239.3.1 89.58.19.34 101.42.108.123 123.13.157.67 150.158.55.250 155.192.211.66 156.23.111.71 204.196.189.95 211.248.13.251 221.191.150.148 223.171.79.70 |
|
IP Address |
123.13.152.56 |
|
|
Domain |
- |
|
|
ISP |
China Unicom Liaoning |
|
|
Country |
China |
|
|
WHOIS |
Created Date |
- |
|
Updated Date |
- |
|
|
Organization |
- |
|
|
First seen in Akamai Guardicore Segmentation |
2022-03-26 |
|
Last seen in Akamai Guardicore Segmentation |
2022-03-29 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
|
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
|
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
|
The file /tmp/apache2 was downloaded and executed 200 times |
Download and Execute |
|
Process /tmp/ifconfig generated outgoing network traffic to: 101.227.60.29:22, 104.21.25.86:443, 104.248.36.230:1234, 106.130.146.16:80, 106.130.146.16:8080, 107.175.215.247:1234, 109.29.9.235:80, 109.29.9.235:8080, 11.49.182.212:80, 11.49.182.212:8080, 119.154.200.200:80, 119.154.200.200:8080, 120.136.134.153:1234, 123.13.155.101:1234, 123.229.144.248:2222, 136.20.92.172:80, 136.20.92.172:8080, 137.62.118.39:2222, 140.98.25.144:2222, 143.58.79.36:22, 145.80.154.42:2222, 152.135.3.1:80, 152.135.3.1:8080, 152.206.107.173:80, 152.206.107.173:8080, 159.106.166.107:22, 161.155.16.102:80, 161.155.16.102:8080, 166.174.132.127:80, 166.174.132.127:8080, 170.217.59.118:80, 170.217.59.118:8080, 172.67.133.228:443, 175.211.178.116:80, 175.211.178.116:8080, 183.1.53.4:80, 183.1.53.4:8080, 19.128.68.248:22, 190.60.239.44:1234, 194.14.49.108:80, 194.14.49.108:8080, 206.189.25.255:1234, 218.61.173.147:2222, 220.252.83.30:22, 221.217.55.27:80, 221.217.55.27:8080, 223.160.231.210:80, 223.160.231.210:8080, 242.242.229.162:80, 242.242.229.162:8080, 243.1.78.212:80, 243.1.78.212:8080, 245.115.249.249:80, 245.115.249.249:8080, 250.224.128.245:22, 250.36.89.225:22, 29.16.79.56:80, 29.16.79.56:8080, 36.177.43.92:80, 36.177.43.92:8080, 42.193.137.44:1234, 42.7.132.63:22, 44.236.203.85:80, 44.236.203.85:8080, 51.225.34.206:80, 51.225.34.206:8080, 51.75.146.174:443, 6.136.145.58:80, 6.136.145.58:8080, 6.241.93.142:80, 6.241.93.142:8080, 6.52.121.199:80, 6.52.121.199:8080, 7.114.123.136:80, 7.114.123.136:8080, 75.88.183.150:80, 75.88.183.150:8080, 83.64.183.97:80, 83.64.183.97:8080, 84.210.121.221:80, 84.210.121.221:8080, 87.245.237.41:80, 87.245.237.41:8080, 9.71.182.208:2222, 91.197.70.206:2222, 95.209.202.117:80, 95.209.202.117:8080, 97.190.51.236:80 and 97.190.51.236:8080 |
Outgoing Connection |
|
Process /tmp/ifconfig started listening on ports: 1234, 8087 and 8189 |
Listening |
|
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
|
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
|
Process /tmp/ifconfig attempted to access suspicious domains: adsl, dsnet and melexa.com |
Access Suspicious Domain Outgoing Connection |
|
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
|
The file /tmp/php-fpm was downloaded and executed 48 times |
Download and Execute |
|
The file /tmp/php-fpm was downloaded and executed |
Download and Execute |
|
Connection was closed due to timeout |
|
© 2023 Akamai Technologies