IP Address: 13.71.5.54Previously Malicious
IP Address: 13.71.5.54Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Access Suspicious Domain SSH New SSH Key SSH Brute Force Successful SSH Login Download and Execute Outgoing Connection |
Associated Attack Servers |
23.55.220.59 34.236.80.17 39.104.166.233 39.105.208.94 47.100.57.138 47.102.100.34 47.105.244.235 47.111.5.229 49.234.197.216 49.235.86.47 61.32.6.22 66.171.248.178 68.183.186.25 101.200.50.114 101.201.208.164 106.13.94.51 106.13.189.64 106.52.129.44 106.52.254.33 106.54.0.80 111.0.97.111 111.229.129.150 111.230.251.247 111.231.197.120 115.159.220.112 116.202.244.153 117.73.13.151 118.24.4.240 118.190.164.156 |
IP Address |
13.71.5.54 |
|
Domain |
- |
|
ISP |
Microsoft Corporation |
|
Country |
India |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-06-06 |
Last seen in Akamai Guardicore Segmentation |
2020-07-01 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ******** - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
The file /usr/bin/zrgkru was downloaded and executed 45 times |
Download and Execute |
Process /usr/bin/zrgkru generated outgoing network traffic to: 1.1.1.1:53, 101.200.50.114:29210, 101.201.208.164:46531, 106.13.189.64:34419, 106.13.94.51:38049, 106.52.129.44:45494, 106.52.254.33:36337, 106.54.0.80:34630, 111.0.97.111:36054, 111.229.129.150:39635, 111.230.251.247:34911, 111.231.197.120:43572, 115.159.220.112:47655, 116.202.244.153:80, 117.73.13.151:45223, 118.190.164.156:37953, 118.24.4.240:42677, 120.92.104.149:28127, 122.51.255.138:44441, 122.51.68.129:42647, 122.51.80.13:42906, 123.178.246.50:10896, 123.56.140.42:46271, 123.57.42.17:43448, 125.78.15.36:34801, 129.204.182.138:39274, 129.226.187.176:38300, 175.24.81.38:34048, 176.58.123.25:80, 180.108.64.5:44619, 182.208.254.179:43536, 208.67.222.222:443, 216.239.32.21:80, 216.239.34.21:80, 218.29.54.177:34759, 23.55.220.59:80, 34.236.80.17:80, 39.104.166.233:45729, 39.105.208.94:37139, 47.100.57.138:42415, 47.102.100.34:45011, 47.105.244.235:39724, 47.111.5.229:39850, 49.234.197.216:40909, 49.235.86.47:45011, 61.32.6.22:39471, 66.171.248.178:80 and 68.183.186.25:8000 |
Outgoing Connection |
Process /usr/bin/zrgkru attempted to access suspicious domains: adsl, icanhazip.com, ident.me and one.one |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made 16 times |
New SSH Key |