IP Address: 138.197.103.195Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
138.197.103.195​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HadoopYARN

Tags

HTTP Log Tampering HadoopYARN IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Access Suspicious Domain Download File Inbound HTTP Request Service Stop

Associated Attack Servers

steck.cc

52.174.53.10 52.168.169.156 52.176.57.55 52.173.243.215 13.94.211.122 13.93.11.157 52.173.93.211 104.40.157.159 52.170.223.233 52.173.80.33 23.101.128.211 40.114.243.66 40.80.148.87 40.69.187.176 13.89.235.217 52.165.132.17 13.93.93.21 104.46.40.157 13.82.52.118 52.165.187.243 40.69.187.137 40.69.187.243 13.92.114.106 52.173.192.89 52.179.23.37 52.186.127.89 52.174.33.6 52.233.143.163 52.186.125.0 13.94.200.48

Basic Information

IP Address

138.197.103.195

Domain

-

ISP

Digital Ocean

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-10-07

Last seen in Guardicore Centra

2018-10-27

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: steck.cc:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: steck.cc

Outgoing Connection Access Suspicious Domain

The file /tmp/mysql.sock.lock was downloaded and granted execution privileges

The file /tmp/Trio.x86 was downloaded and executed 515 times

Download and Execute

Process /tmp/Trio.x86 generated outgoing network traffic to: steck.cc:23 and 81.4.101.221:23

Outgoing Connection

Process /tmp/Trio.x86 attempted to access suspicious domains: steck.cc

Outgoing Connection Access Suspicious Domain

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

Service iptables was stopped 41 times

Service Stop

Service firewalld was stopped 41 times

Service Stop

Log File Tampering detected from /bin/rm on the following logs: /var/log/apt/apt.log, /var/log/dmesg, /var/log/faillog, /var/log/dpkg.log, /var/log/apt/term.log, /var/log/apt/history.log, /var/log/alternatives.log, /var/log/btmp, /var/log/fsck/checkroot, /var/log/lastlog, /var/log/wtmp, /var/log/bootstrap.log and /var/log/fsck/checkfs

Log Tampering

The file /bin/rm was downloaded and executed 3 times

Download and Execute

The file /sbin/xtables-multi was downloaded and executed

Download and Execute

The file /usr/bin/pgrep was downloaded and executed 3 times

Download and Execute

The file /usr/local/bin/dash was downloaded and executed

Download and Execute

Connection was closed due to timeout

Associated Files

/tmp/TrioSec.x86

SHA256: 4afbb25a82cf8909f7d8b24484aaa272c442077b3dc73664a47b6a2c87e501ed

99157 bytes

/tmp/TrioSec.x86

SHA256: b8eca9942a81158fef96f0a81789957586ab249c2e1c8f408f20ad8f7f9eb3f3

11680 bytes

/tmp/Trio.x86

SHA256: 01ad20e86e33007f8c35918448408c77b182492686e40c6b27823e55d45aa728

108742 bytes

/tmp/Trio.x86

SHA256: 4e3fffe6d79623b03eee5457095683937965cee8400c427c669bec985d89ad68

99125 bytes

/tmp/Trio.x86

SHA256: 015c112129249943c350daf046e8f47179af1af92b7f1e4e094ef8892f6ab0b2

11678 bytes

/tmp/Trio.x86

SHA256: 9aa86f35c6437818c01d845feb1e5985f4f060a598ab33b84c561f848c334c1c

26286 bytes

/tmp/Trio.x86

SHA256: 24ff2572cd101f9d081f9ef819c031187297f32d82ce81c9e46c045d83df385b

54173 bytes

/tmp/Trio.x86

SHA256: c8506a98c2ddec51e07ad20124471fe2aaf5d0d2da69f2fbd38854ce023b39c3

36909 bytes

/tmp/Trio.x86

SHA256: 83a2c9894d26e17b9116c3091c68e3008470ab9a5f8b04b42bd4ccf13578606a

82062 bytes

/tmp/TrioSec.x86

SHA256: ce71a21a1c246280ab3a29f2dc44f94dd99a79f6bb26896811629b4ea5a4b797

108742 bytes

/tmp/TrioSec.x86

SHA256: 064c530bb0cfb2899dcf0757bdad33f80fab08fa0502d690fc84bbe70daf2d41

11679 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 138.197.103.195​Previously Malicious