IP Address: 138.197.103.195Previously Malicious
Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network
IP Address:
138.197.103.195
Previously Malicious
This IP address attempted an attack on a machine protected by Guardicore Centra
Role |
Attacker, Scanner |
Services Targeted |
HadoopYARN |
Tags |
HTTP Log Tampering HadoopYARN IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Access Suspicious Domain Download File Inbound HTTP Request Service Stop |
Associated Attack Servers |
52.174.52.111 13.81.11.198 13.94.211.122 52.176.49.220 104.40.157.159 52.165.39.199 52.178.117.234 52.173.79.152 52.173.80.33 13.93.88.147 13.92.238.45 13.90.100.161 40.68.86.94 13.82.52.9 52.173.243.215 52.170.98.243 52.173.192.89 52.173.132.185 52.186.120.217 52.176.57.55 40.71.227.128 40.69.187.243 104.41.149.18 52.173.20.209 81.4.101.221 104.248.35.116 40.68.123.235 52.173.197.115 52.174.53.10 52.173.83.168 |
IP Address |
138.197.103.195 |
|
Domain |
- |
|
ISP |
Digital Ocean |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Guardicore Centra |
2018-10-07 |
Last seen in Guardicore Centra |
2018-10-27 |
What is Guardicore CentraGuardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
Process /usr/bin/wget generated outgoing network traffic to: steck.cc:80 |
Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: steck.cc |
Access Suspicious Domain Outgoing Connection |
The file /tmp/mysql.sock.lock was downloaded and granted execution privileges |
|
The file /tmp/Trio.x86 was downloaded and executed 515 times |
Download and Execute |
Process /tmp/Trio.x86 generated outgoing network traffic to: steck.cc:23 and 81.4.101.221:23 |
Outgoing Connection |
Process /tmp/Trio.x86 attempted to access suspicious domains: steck.cc |
Access Suspicious Domain Outgoing Connection |
IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body |
IDS - Web Application Attack |
Service iptables was stopped 41 times |
Service Stop |
Service firewalld was stopped 41 times |
Service Stop |
Log File Tampering detected from /bin/rm on the following logs: /var/log/apt/apt.log, /var/log/dmesg, /var/log/faillog, /var/log/dpkg.log, /var/log/apt/term.log, /var/log/apt/history.log, /var/log/alternatives.log, /var/log/btmp, /var/log/fsck/checkroot, /var/log/lastlog, /var/log/wtmp, /var/log/bootstrap.log and /var/log/fsck/checkfs |
Log Tampering |
The file /bin/rm was downloaded and executed 3 times |
Download and Execute |
The file /sbin/xtables-multi was downloaded and executed |
Download and Execute |
The file /usr/bin/pgrep was downloaded and executed 3 times |
Download and Execute |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|
/tmp/TrioSec.x86 |
SHA256: 4afbb25a82cf8909f7d8b24484aaa272c442077b3dc73664a47b6a2c87e501ed |
99157 bytes |
/tmp/TrioSec.x86 |
SHA256: b8eca9942a81158fef96f0a81789957586ab249c2e1c8f408f20ad8f7f9eb3f3 |
11680 bytes |
/tmp/Trio.x86 |
SHA256: 01ad20e86e33007f8c35918448408c77b182492686e40c6b27823e55d45aa728 |
108742 bytes |
/tmp/Trio.x86 |
SHA256: 4e3fffe6d79623b03eee5457095683937965cee8400c427c669bec985d89ad68 |
99125 bytes |
/tmp/Trio.x86 |
SHA256: 015c112129249943c350daf046e8f47179af1af92b7f1e4e094ef8892f6ab0b2 |
11678 bytes |
/tmp/Trio.x86 |
SHA256: 9aa86f35c6437818c01d845feb1e5985f4f060a598ab33b84c561f848c334c1c |
26286 bytes |
/tmp/Trio.x86 |
SHA256: 24ff2572cd101f9d081f9ef819c031187297f32d82ce81c9e46c045d83df385b |
54173 bytes |
/tmp/Trio.x86 |
SHA256: c8506a98c2ddec51e07ad20124471fe2aaf5d0d2da69f2fbd38854ce023b39c3 |
36909 bytes |
/tmp/Trio.x86 |
SHA256: 83a2c9894d26e17b9116c3091c68e3008470ab9a5f8b04b42bd4ccf13578606a |
82062 bytes |
/tmp/TrioSec.x86 |
SHA256: ce71a21a1c246280ab3a29f2dc44f94dd99a79f6bb26896811629b4ea5a4b797 |
108742 bytes |
/tmp/TrioSec.x86 |
SHA256: 064c530bb0cfb2899dcf0757bdad33f80fab08fa0502d690fc84bbe70daf2d41 |
11679 bytes |
IP Address: 138.197.103.195Previously Malicious