IP Address: 142.93.148.17Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
142.93.148.17​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Download File Inbound HTTP Request

Associated Attack Servers

40.71.96.87 13.82.182.9 52.166.20.128 13.81.14.95 52.232.33.74 104.47.140.62 13.73.160.230 68.183.134.187 13.73.167.164

Basic Information

IP Address

142.93.148.17

Domain

-

ISP

Digital Ocean

Country

Canada

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-11-04

Last seen in Guardicore Centra

2018-11-13

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 68.183.134.187:80 14 times

Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/ntpd was downloaded and granted execution privileges

Download and Allow Execution

/tmp/ntpd was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/sshd was downloaded and granted execution privileges

Download and Allow Execution

/tmp/sshd was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/openssh was downloaded and granted execution privileges

Download and Allow Execution

/tmp/openssh was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/bash was downloaded and executed 3 times

Download and Execute

Process /tmp/bash generated outgoing network traffic to: 68.183.134.187:23

Outgoing Connection

The file /tmp/tftp was downloaded and granted execution privileges

Download and Allow Execution

/tmp/tftp was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/wget was downloaded and executed 2 times

Download and Execute

The file /tmp/cron was downloaded and granted execution privileges

Download and Allow Execution

/tmp/cron was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/ftp was downloaded and executed 2 times

Download and Execute

The file /tmp/pftp was downloaded and granted execution privileges

Download and Allow Execution

/tmp/pftp was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/sh was downloaded and granted execution privileges

Download and Allow Execution

/tmp/sh was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/[cpu] was downloaded and granted execution privileges

Download and Allow Execution

/tmp/[cpu] was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/apache2 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/apache2 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Connection was closed due to user inactivity

/tmp/bash was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/tmp/ftp was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

/tmp/wget was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

Associated Files

/tmp/bins.sh

SHA256: f2df384ae26d8aebdaa1fd2e9561b2e179f330c01df5a2b309b6a2806993f909

1639 bytes

/tmp/ntpd

SHA256: df5f6411d02932abae1efaaa693d1b385b03d4514f945fb0c9175ab8f0ec0dd2

108770 bytes

/tmp/sshd

SHA256: 1e9f706a53300989fa264130b1587b83bc99f71624f679b4ffa76c2a7b9e7f60

108770 bytes

/tmp/openssh

SHA256: 73de252c10f2a7f898ee86dfcaf1274dcb2dc6363daa05402e3bb969af391167

76131 bytes

/tmp/bash

SHA256: e164eec693804a06b81632dbc3bc5fc3e51b87e5e59d74ad875fdb39e8c0f70c

82753 bytes

/tmp/tftp

SHA256: 47e3cc683a406d0289b8462176eeebb347e833b7aa01d7a535a31a771308a348

107995 bytes

/tmp/wget

SHA256: 0d4f991253851913916295e19a1a5e664d4ea2cca3fb8a2b3c67081ef12d5afb

72366 bytes

/tmp/cron

SHA256: 82cce93ec11c180808d0480f91682126e7f9c9cfed9b48a1e2063c5811c49cd8

81463 bytes

/tmp/ftp

SHA256: 305e53651f6abc10fea32825ce826603c7224b4741194c33983d37bb89ec0979

72366 bytes

/tmp/pftp

SHA256: 4dec2c49d6a1a0506fc9cbe6a41673adc32a292d0b49490e9316e7dfbf31fb83

88465 bytes

/tmp/sh

SHA256: 494e02477be9ca88f7a9622c21a3f27cc0fd4ffc182696aa0cfbc962a98dd99d

92253 bytes

/tmp/[cpu]

SHA256: 6e7f95a265532db9a746bf8d1312f26dac3f9c956e351c63049b684719fb687d

95549 bytes

/tmp/apache2

SHA256: dc2499b450a55204618143d063513257f8b90c19d82b2a0bd3ea0caf1ff88ce7

88003 bytes

/tmp/ntpd

SHA256: fee955a84390f738df81b1f1a6ac36004256df5df23f2370520d3ea6c0473169

11677 bytes

/tmp/ntpd

SHA256: 3455a410fc27a62e15f6c8024dfe1a404029cc96e34fac746add9d0a44a44473

30269 bytes

/tmp/sh

SHA256: 5526539a947770c815436f2db3958818cfa76d9d54ccdfba577efa73c98cdfde

64798 bytes

/tmp/openssh

SHA256: 1b45806a2d33faae6630f24fd5d2cccad89bdbb356053b941854264c5b64ef60

59486 bytes

/tmp/ntpd

SHA256: f5223c1a0390645f21f2d64995362313fae2209c423bf27756e3c689bb35de2e

56829 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 142.93.148.17​Previously Malicious