IP Address: 149.202.52.44Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
149.202.52.44​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

Successful SSH Login Download and Allow Execution Download and Execute Malicious File Outgoing Connection Access Suspicious Domain 8 Shell Commands Bulk Files Tampering DNS Query SSH Download Operation HTTP Download File

Associated Attack Servers

scaleway.com r9x7.com ip-87-98-185.eu mirc.serveirc.com deltahost-ptr noitel.it actcorp.in ip-8-43-87-242

78.4.254.161 8.43.87.242 216.178.226.25 87.98.185.221 106.51.33.132 176.107.177.69 163.172.154.66 104.28.30.13

Basic Information

IP Address

149.202.52.44

Domain

-

ISP

OVH SAS

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-03-21

Last seen in Guardicore Centra

2018-05-07

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: mysql / ******** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget generated outgoing network traffic to: ip-87-98-185.eu:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-87-98-185.eu

Outgoing Connection Access Suspicious Domain

/tmp/.ssh/rs2new.tar.gz was downloaded

Download File

The file /home/mysql/.ttp/a/upd was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.ssh/.rsync/c/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.ssh/.rsync/c/run was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.ssh/.rsync/c/watchdog was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/.ttp/a/config.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/.ttp/a/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/.ttp/a/pools.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.ssh/.rsync/c/aptitude was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.ssh/.rsync/c/n was downloaded and granted execution privileges

Download and Allow Execution

The file /home/mysql/.ttp/b/sync was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/bin/perl attempted to access suspicious domains: mirc.serveirc.com

DNS Query Outgoing Connection Access Suspicious Domain

Process /usr/bin/perl generated outgoing network traffic to: noitel.it:6665

Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 216.178.226.25:80 10 times

Outgoing Connection

/tmp/.ssh/.rsync/c/xtr was downloaded 10 times

Download File

Process /usr/bin/wget generated outgoing network traffic to: actcorp.in:80 6 times

Outgoing Connection

An attempt was made to access suspicious domain r9x7.com 10 times

Access Suspicious Domain

The file /tmp/.ssh/.rsync/c/tsm was downloaded and executed 10 times

Download and Execute

Process /usr/bin/wget generated outgoing network traffic to: deltahost-ptr:80 12 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: deltahost-ptr 12 times

Outgoing Connection Access Suspicious Domain

/tmp/.ssh/.rsync/c/p was downloaded 7 times

Download File

Process /usr/bin/wget generated outgoing network traffic to: ip-8-43-87-242:80 2 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-8-43-87-242 2 times

Outgoing Connection Access Suspicious Domain

Connection was closed due to timeout

/tmp/.ssh/.rsync/a/x86/xmrigMiner was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Maldoc Somerules and Crypto Signatures

Malicious File

/home/mysql/.ttp/a/stak/libxmr-stak-backend.a was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Maldoc Somerules, Packer Compiler Signatures and Crypto Signatures

Malicious File

/home/mysql/.ttp/a/stak/libOpenCL.so.1 was identified as malicious by YARA according to rules: Malw Miscelanea Linux

Malicious File

/home/mysql/.ttp/a/stak/libc.so.6 was identified as malicious by YARA according to rules: Malw Miscelanea Linux

Malicious File

/home/mysql/.ttp/a/x86/config.json was identified as malicious by YARA according to rules: Packer Compiler Signatures

Malicious File

/home/mysql/.ttp/a/stak/libxmr-stak-c.a was identified as malicious by YARA according to rules: Packer Compiler Signatures

Malicious File

/home/mysql/.ttp/a/x86/xmrigMiner was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Maldoc Somerules and Crypto Signatures

Malicious File

/tmp/.ssh/.rsync/a/stak/libcrypto.so.1.0.0 was identified as malicious by YARA according to rules: Malw Miscelanea Linux and Crypto Signatures

Malicious File

/tmp/.ssh/.rsync/a/x86/config.json was identified as malicious by YARA according to rules: Packer Compiler Signatures

Malicious File

/tmp/.ssh/.rsync/a/stak/libOpenCL.so.1 was identified as malicious by YARA according to rules: Malw Miscelanea Linux

Malicious File

Process /bin/tar performed bulk changes in {/} on 65 files

Bulk Files Tampering

Process /bin/cp performed bulk changes in {/home/mysql/.ttp} on 33 files

Bulk Files Tampering

Associated Files

/tmp/.ssh/rs2new.tar.gz

SHA256: 57e6ae08faa6b2aaa197e5b9cbb7085dd4c67df12e5367278437949cb4ad2d9a

45230080 bytes

/home/mysql/.ttp/a/upd

SHA256: b24212ed34e5925d6300599f8c4e8efb50cca6699528b14d16c7f2688eee96c7

190 bytes

/tmp/.ssh/.rsync/c/run

SHA256: 93abca8624cd289481fe5a62b04984b91578b93f6bda61237bb13d5b51c13bac

172 bytes

/tmp/.ssh/.rsync/c/aptitude

SHA256: 43af4e61abbf744e352582ced95176e434b80851bbc581bd58cd6e72cad2ea57

50 bytes

/tmp/.ssh/.rsync/c/ip

SHA256: 1500fb0388f4f7e5555f3bad2f1f8e95ce171a53eecad84f94b548e656ce29b4

263144 bytes

/tmp/.ssh/.rsync/c/p

SHA256: 98a45ff5a032153d1458307763372fff7768863d2478b76b31b7948596bf1e46

143 bytes

/tmp/.ssh/.rsync/c/ip

SHA256: 9478c3671172542927e06aecefe62ae56fe0b0b1d94988d0209317f0532c3352

263093 bytes

/tmp/.ssh/.rsync/c/ip

SHA256: 392d084782a6350f063b3c45c6c791f72e1a7891ae6cc3caf23bc23d5648de5c

261731 bytes

/tmp/.ssh/.rsync/c/ip

SHA256: e25405440e47d928d1c384198ddfeec85af4d33b05dbc40a15c17e223a698557

260652 bytes

/tmp/.ssh/.rsync/c/ip

SHA256: 1424ea067c439fa0f09141f735438518b575d7413d2ea8376d0c3d698250bb87

261873 bytes

/tmp/.ssh/.rsync/c/ip

SHA256: 9f6bd6814aea58b96711caaf9d5289f83445f5344d9e280cff5004672610132f

263287 bytes

/tmp/.ssh/.rsync/c/ip

SHA256: 4591dd8933c8c2ee7e84b06736ded705ee43c539ca7ceeaba96439df1c820489

263200 bytes

/tmp/.ssh/.rsync/c/ip

SHA256: 3401fd0d170e120482b6d5e8cd1a8795529f4b4c33d216f1d6a411d4ed3709c6

262606 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 149.202.52.44​Previously Malicious