IP Address: 139.226.207.253Previously Malicious
IP Address: 139.226.207.253Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 2222 Scan Port 22 Scan Port 1234 Scan SSH Listening 2 Shell Commands SCP Outgoing Connection Port 8080 Scan Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute Download File Access Suspicious Domain |
Associated Attack Servers |
mycingular.net timbrasil.com.br 7.114.123.188 10.33.0.9 31.131.72.224 44.166.188.21 65.74.81.243 82.136.28.226 103.90.177.102 107.245.37.50 123.132.238.210 142.17.92.172 161.35.79.199 161.70.98.32 172.64.200.11 172.64.201.11 177.166.118.150 206.189.25.255 209.216.177.158 222.165.136.99 |
IP Address |
139.226.207.253 |
|
Domain |
- |
|
ISP |
CHINA UNICOM Shanghai city network |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-10-07 |
Last seen in Akamai Guardicore Segmentation |
2022-10-19 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 37 times |
Download and Execute |
Process /root/ifconfig scanned port 1234 on 12 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 22 on 12 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 8080 on 12 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 2222 on 12 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 1234 on 18 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 1234 on 27 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 1234 on 24 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /usr/sbin/sshd scanned port 1234 on 12 IP Addresses 2 times |
Port 1234 Scan |
Process /root/ifconfig scanned port 22 on 18 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 8080 on 18 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 2222 on 18 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 22 on 27 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 22 on 24 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig generated outgoing network traffic to: 101.42.90.177:1234, 102.31.9.164:2222, 103.90.177.102:1234, 107.245.37.50:80, 107.245.37.50:8080, 107.47.31.21:22, 113.14.234.97:2222, 114.210.95.192:22, 114.252.50.94:22, 117.80.212.33:1234, 124.115.231.214:1234, 129.212.114.55:8080, 130.45.137.97:22, 130.91.70.53:2222, 138.52.222.34:2222, 139.32.6.189:8080, 140.63.245.66:8080, 142.17.92.172:80, 143.17.169.121:8080, 144.114.150.23:2222, 145.42.127.88:2222, 146.173.153.169:22, 157.28.13.82:8080, 160.39.61.38:2222, 161.107.113.27:1234, 161.89.234.60:2222, 162.42.118.164:2222, 164.138.175.248:22, 165.93.42.148:22, 169.116.194.97:2222, 171.126.138.118:22, 172.64.162.15:443, 172.64.163.15:443, 173.251.245.70:2222, 174.197.172.66:2222, 177.166.118.150:80, 184.103.67.92:2222, 191.97.41.106:8080, 213.160.84.27:8080, 215.60.152.83:8080, 218.6.96.233:8080, 22.32.112.183:22, 220.106.37.156:2222, 220.172.180.52:2222, 222.134.240.92:1234, 222.165.136.99:1234, 222.27.80.155:2222, 23.70.251.50:8080, 240.142.251.1:8080, 243.208.168.193:2222, 249.132.197.29:8080, 249.48.224.182:2222, 25.35.162.87:2222, 27.157.61.190:22, 27.160.179.188:22, 3.6.204.152:8080, 31.131.72.224:80, 31.131.72.224:8080, 31.72.123.208:2222, 35.200.49.2:22, 44.166.188.21:80, 44.166.188.21:8080, 46.216.49.106:2222, 49.233.159.222:1234, 51.178.139.197:22, 51.75.146.174:443, 58.33.124.52:8080, 59.43.111.166:8080, 62.12.106.5:1234, 63.4.46.141:2222, 65.74.81.243:80, 65.74.81.243:8080, 68.45.198.217:22, 69.182.161.118:8080, 7.114.123.188:80, 7.114.123.188:8080, 74.123.201.222:2222, 76.237.163.141:8080, 77.137.159.197:22, 82.1.155.125:8080, 82.136.28.226:80, 82.136.28.226:8080, 82.70.152.12:8080, 85.105.82.39:1234, 86.124.217.167:8080, 9.231.214.122:2222, 96.224.2.104:22, 97.247.81.230:8080 and 98.193.251.3:22 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8081 and 8187 |
Listening |
Process /root/ifconfig attempted to access suspicious domains: gci.net, mycingular.net and timbrasil.com.br |
Access Suspicious Domain Outgoing Connection |
The file /etc/ifconfig was downloaded and granted execution privileges |
Download and Allow Execution |
Process /root/ifconfig scanned port 8080 on 27 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 2222 on 27 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 8080 on 24 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 2222 on 24 IP Addresses |
Port 1234 Scan Port 22 Scan Port 8080 Scan Port 2222 Scan |
Connection was closed due to user inactivity |
|
/var/tmp/ifconfig |
SHA256: 366408b99e3165dd170cf29c44e8ae63ec7d8e45052c0ca2f894c20e7243fcf0 |
3090368 bytes |