Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 129.204.137.82Previously Malicious

IP Address: 129.204.137.82Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

Download and Execute SSH Successful SSH Login Access Suspicious Domain Outgoing Connection New SSH Key

Associated Attack Servers

btcentralplus.com

3.209.205.43 23.223.159.192 36.224.81.148 37.44.244.229 45.9.188.72 47.96.234.84 47.100.35.108 47.103.214.241 49.235.129.112 49.235.130.36 49.235.231.166 50.116.37.115 58.218.204.13 66.171.248.178 71.57.39.2 103.77.166.38 103.145.191.161 106.12.29.87 106.54.218.3 106.125.161.186 107.170.192.159 107.182.190.58 111.229.66.87 116.62.63.6 116.202.55.106 119.27.170.197 120.24.246.118 121.40.174.89 122.51.138.77 123.194.80.147

Basic Information

IP Address

129.204.137.82

Domain

-

ISP

Tencent cloud computing

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2020-04-12

Last seen in Akamai Guardicore Segmentation

2020-05-09

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Reached Max Attempts

Successful SSH Login

The file /usr/bin/rqhdeb was downloaded and executed 46 times

Download and Execute

Process /usr/bin/rqhdeb generated outgoing network traffic to: 1.1.1.1:53, 103.145.191.161:58182, 103.77.166.38:44503, 106.12.29.87:39672, 106.125.161.186:28299, 106.54.218.3:44787, 107.170.192.159:37859, 107.182.190.58:41307, 111.229.66.87:33372, 116.202.55.106:80, 116.62.63.6:34978, 119.27.170.197:36614, 120.24.246.118:51887, 121.40.174.89:35691, 122.51.138.77:35400, 123.194.80.147:43020, 123.207.3.213:35391, 132.232.104.56:41091, 134.209.96.222:43083, 154.204.30.239:45055, 160.124.15.121:40750, 176.58.123.25:80, 178.128.108.158:43917, 181.48.129.148:44687, 182.208.254.179:33577, 185.193.38.221:34983, 202.72.202.104:37372, 206.81.5.154:8000, 208.67.222.222:443, 211.23.131.134:38080, 212.129.154.177:43973, 216.239.32.21:80, 216.239.34.21:80, 23.223.159.192:80, 3.209.205.43:80, 36.224.81.148:36429, 37.44.244.229:42589, 45.9.188.72:36895, 47.100.35.108:38193, 47.103.214.241:40370, 47.96.234.84:33131, 49.235.129.112:39358, 49.235.130.36:39977, 49.235.231.166:33311, 50.116.37.115:33773, 58.218.204.13:60396, 66.171.248.178:80 and 71.57.39.2:44315

Outgoing Connection

Process /usr/bin/rqhdeb attempted to access suspicious domains: icanhazip.com, kbronet.com.tw and one.one

Access Suspicious Domain Outgoing Connection

Connection was closed due to timeout

An attempt to download /root/.ssh/authorized_keys was made 25 times

New SSH Key