IP Address: 144.91.98.84Previously Malicious
IP Address: 144.91.98.84Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Superuser Operation Listening Outgoing Connection SCP 2 Shell Commands Port 8080 Scan Port 80 Scan Access Suspicious Domain Port 2222 Scan Successful SSH Login SSH Download File |
Associated Attack Servers |
1.208.187.18 6.176.19.48 14.86.167.115 15.228.9.24 19.195.173.110 20.141.185.205 22.196.187.197 23.94.56.185 23.238.226.87 35.85.93.236 42.194.138.246 44.29.112.81 47.112.205.162 50.18.112.214 52.57.86.165 52.236.133.183 53.202.15.221 59.108.161.109 60.151.163.113 61.2.141.136 72.231.123.64 73.245.236.71 81.70.93.65 82.157.50.152 83.143.151.183 84.1.28.117 88.187.240.247 92.28.201.23 94.23.211.110 103.90.177.102 |
IP Address |
144.91.98.84 |
|
Domain |
- |
|
ISP |
Mills College |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-02-20 |
Last seen in Akamai Guardicore Segmentation |
2022-03-20 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 104.170.34.243:80, 104.170.34.243:8080, 104.21.25.86:443, 104.69.161.203:80, 104.69.161.203:8080, 111.53.234.32:2222, 114.50.225.116:80, 114.50.225.116:8080, 12.139.158.6:80, 12.139.158.6:8080, 124.94.164.106:80, 124.94.164.106:8080, 128.68.193.8:2222, 138.2.83.98:1234, 139.236.175.148:80, 139.236.175.148:8080, 141.166.81.24:2222, 144.91.98.84:1234, 150.107.95.20:1234, 152.197.96.235:80, 152.197.96.235:8080, 156.110.44.77:80, 156.110.44.77:8080, 161.243.238.127:80, 161.243.238.127:8080, 164.126.31.89:80, 164.126.31.89:8080, 164.226.78.150:2222, 166.138.114.80:80, 166.138.114.80:8080, 172.67.133.228:443, 180.128.159.96:80, 180.128.159.96:8080, 183.213.26.13:1234, 184.46.101.90:80, 184.46.101.90:8080, 186.234.70.236:80, 186.234.70.236:8080, 187.194.236.224:80, 187.194.236.224:8080, 19.195.173.110:22, 190.60.239.44:1234, 193.63.2.78:80, 193.63.2.78:8080, 194.137.159.150:80, 194.137.159.150:8080, 196.103.155.194:80, 196.103.155.194:8080, 203.187.184.135:80, 203.187.184.135:8080, 21.151.54.231:2222, 21.250.184.63:2222, 23.94.56.185:1234, 243.128.223.73:2222, 248.207.70.7:22, 249.156.5.21:80, 249.156.5.21:8080, 250.17.242.68:2222, 250.231.232.99:80, 250.231.232.99:8080, 28.41.8.58:2222, 35.85.93.236:22, 4.29.213.252:80, 4.29.213.252:8080, 51.169.140.112:80, 51.169.140.112:8080, 51.75.146.174:443, 53.14.100.46:80, 53.14.100.46:8080, 53.169.251.44:80, 53.169.251.44:8080, 54.191.94.128:80, 54.191.94.128:8080, 55.144.28.22:80, 55.144.28.22:8080, 63.176.168.27:80, 63.176.168.27:8080, 69.187.139.214:80, 69.187.139.214:8080, 7.205.230.169:2222, 71.69.2.100:80, 71.69.2.100:8080, 72.153.190.146:2222, 81.188.221.217:80, 81.188.221.217:8080, 81.25.20.57:80, 81.25.20.57:8080, 82.157.50.152:1234 and 90.216.3.15:2222 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8083 and 8181 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 attempted to access suspicious domains: melexa.com |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|