IP Address: 123.130.112.42Previously Malicious
IP Address: 123.130.112.42Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
Majordomo.ru ntust.edu.tw pikara.ne.jp upc.nl 12.23.46.220 15.174.110.12 21.252.172.221 24.7.156.241 25.193.125.103 30.18.230.12 31.206.231.234 44.19.18.166 45.230.66.96 48.170.71.209 49.92.95.169 61.228.199.93 82.156.30.27 87.101.69.211 89.114.23.79 94.153.165.43 99.103.62.134 101.35.138.55 110.42.198.77 115.30.157.176 119.62.29.168 121.111.170.128 122.14.222.124 124.221.119.17 125.44.36.222 140.118.114.127 143.92.90.174 152.98.190.250 153.112.127.159 |
IP Address |
123.130.112.42 |
|
Domain |
- |
|
ISP |
China Unicom Shandong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-24 |
Last seen in Akamai Guardicore Segmentation |
2022-05-20 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 3 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 200 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 101.33.228.162:1234, 101.42.238.68:1234, 101.42.238.68:22, 104.21.25.86:443, 113.176.83.159:1234, 113.176.83.159:22, 116.192.134.77:80, 116.192.134.77:8080, 124.11.165.253:443, 124.11.165.253:80, 124.11.165.253:8080, 125.77.90.28:1234, 137.137.243.158:80, 137.50.234.156:80, 142.250.191.228:443, 149.176.3.203:80, 165.160.127.228:80, 167.128.86.62:80, 175.82.218.197:80, 177.238.75.10:80, 180.242.205.161:80, 180.242.205.161:8080, 181.128.208.51:80, 19.213.187.112:80, 19.213.187.112:8080, 192.146.208.227:80, 199.100.55.203:80, 199.214.139.191:80, 200.191.33.10:80, 200.191.33.10:8080, 207.114.244.125:80, 207.114.244.125:8080, 212.107.83.33:80, 215.161.161.168:80, 215.161.161.168:8080, 241.47.136.113:80, 253.32.59.53:80, 26.137.134.116:80, 29.118.83.91:80, 39.42.147.230:80, 39.44.13.38:80, 39.44.13.38:8080, 40.55.182.121:80, 41.231.127.5:1234, 51.75.146.174:443, 53.218.204.93:80, 53.218.204.93:8080, 58.144.161.18:80, 58.144.161.18:8080, 64.245.44.115:80, 64.245.44.115:8080, 69.228.149.202:80, 79.250.103.100:80, 8.8.4.4:443, 8.8.8.8:443 and 82.44.182.169:80 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8088 and 8186 |
Listening |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 11 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig attempted to access suspicious domains: tfn.net.tw |
Access Suspicious Domain Outgoing Connection |
Process /tmp/ifconfig scanned port 8080 on 11 IP Addresses |
Port 80 Scan Port 8080 Scan |
The file /tmp/php-fpm was downloaded and executed 20 times |
Download and Execute |
Process /tmp/php-fpm generated outgoing network traffic to: 101.42.238.68:22 |
Outgoing Connection |
The file /tmp/php-fpm was downloaded and executed 23 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and granted execution privileges |
Download and Allow Execution |
The file /tmp/php-fpm was downloaded and executed 12 times |
Download and Execute |
Connection was closed due to timeout |
|