IP Address: 14.139.161.246Previously Malicious
IP Address: 14.139.161.246Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
1.14.166.163 18.212.180.57 35.148.154.122 36.238.147.226 47.37.138.79 48.150.176.199 52.3.186.224 54.136.46.145 62.195.147.111 80.14.122.122 81.70.147.119 82.157.131.41 82.161.4.197 83.106.127.38 88.81.100.162 101.43.170.250 103.152.119.126 120.232.251.85 122.14.222.124 124.222.218.129 136.187.191.34 142.168.124.240 152.136.145.180 170.18.57.192 181.112.223.89 186.120.162.55 190.205.132.53 |
IP Address |
14.139.161.246 |
|
Domain |
- |
|
ISP |
National Informatics Centre |
|
Country |
India |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-20 |
Last seen in Akamai Guardicore Segmentation |
2022-04-23 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 5 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 6 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 142 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 101.43.170.250:1234, 103.233.162.189:2222, 103.56.113.37:1234, 104.21.25.86:443, 105.184.88.211:22, 109.137.148.223:22, 111.166.186.134:22, 119.13.213.217:80, 119.13.213.217:8080, 121.101.71.98:80, 121.101.71.98:8080, 121.5.55.26:1234, 13.145.131.10:80, 13.145.131.10:8080, 132.17.56.167:80, 132.17.56.167:8080, 133.96.111.32:2222, 141.171.211.163:80, 141.171.211.163:8080, 141.38.196.95:80, 141.38.196.95:8080, 142.250.191.228:443, 156.176.205.227:22, 163.123.181.132:1234, 17.173.186.20:80, 17.173.186.20:8080, 177.198.142.90:80, 177.198.142.90:8080, 178.1.236.135:80, 178.1.236.135:8080, 184.33.89.233:80, 184.33.89.233:8080, 195.165.37.143:80, 195.165.37.143:8080, 201.161.165.23:80, 201.161.165.23:8080, 204.59.195.66:80, 204.59.195.66:8080, 211.72.217.189:80, 211.72.217.189:8080, 214.144.14.177:80, 214.144.14.177:8080, 214.150.105.20:80, 214.150.105.20:8080, 219.240.155.202:80, 219.240.155.202:8080, 22.132.55.240:2222, 240.216.26.108:80, 240.216.26.108:8080, 246.39.59.30:80, 246.39.59.30:8080, 252.159.97.60:2222, 253.181.198.123:80, 253.181.198.123:8080, 32.142.139.98:2222, 33.5.31.234:80, 33.5.31.234:8080, 34.14.184.253:80, 34.14.184.253:8080, 4.107.176.99:80, 4.107.176.99:8080, 47.113.190.219:1234, 50.103.243.155:80, 50.103.243.155:8080, 50.114.56.230:22, 51.75.146.174:443, 57.201.213.62:22, 60.141.139.77:80, 60.141.139.77:8080, 65.5.118.248:80, 65.5.118.248:8080, 68.70.232.68:22, 75.31.170.126:80, 75.31.170.126:8080, 78.189.25.224:1234, 79.38.35.84:80, 79.38.35.84:8080, 8.204.194.152:80, 8.204.194.152:8080, 8.8.4.4:443, 8.8.8.8:443, 81.70.92.205:1234, 85.134.142.67:2222, 90.93.36.111:80, 90.93.36.111:8080, 95.250.154.147:80, 95.250.154.147:8080, 95.41.8.8:80 and 95.41.8.8:8080 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8082 and 8189 |
Listening |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig attempted to access suspicious domains: online.tj.cn and telkomsa.net |
Access Suspicious Domain Outgoing Connection |
./ifconfig was downloaded |
Download File |
The file /tmp/php-fpm was downloaded and executed 15 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 12 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 15 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 4 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 3 times |
Download and Execute |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 26 times |
Download and Execute |
Process /root/apache2 started listening on ports: 1234, 8081 and 8181 |
Listening |
System file /etc/ifconfig was modified 9 times |
System File Modification |
System file /etc/apache2 was modified 4 times |
System File Modification |
The file /etc/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 27 times |
Download and Execute |
Process /etc/apache2 started listening on ports: 1234, 8085 and 8188 |
Listening |
Connection was closed due to timeout |
|
/var/tmp/php-fpm |
SHA256: 10aaadaf66ae0b4f687aa7239e1b0b6959973c5d0c973a7a34db0ac78f070078 |
2875664 bytes |
/var/tmp/php-fpm |
SHA256: d9ee6cbbc40b3b337e3af157b14a1e7ac276c9f27c2efcd8daa21ded4bd810b6 |
2875940 bytes |