IP Address: 150.230.70.236Previously Malicious
IP Address: 150.230.70.236Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
System File Modification Scheduled Task Creation Listening Executable File Modification Outgoing Connection DNS Query SCP New SSH Key Access Suspicious Domain Service Configuration Download and Execute Port 2222 Scan 8 Shell Commands Successful SSH Login Port 22 Scan SSH Download File |
Associated Attack Servers |
bttracker.debian.org poneytelecom.eu 2.179.61.233 12.125.32.222 70.223.229.20 138.139.36.4 163.172.226.137 185.202.130.8 |
IP Address |
150.230.70.236 |
|
Domain |
- |
|
ISP |
Oracle Corporation |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-12-11 |
Last seen in Akamai Guardicore Segmentation |
2021-12-15 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/usr/.work//.bash_history was downloaded |
Download File |
/usr/.work//.bashrc was downloaded |
Download File |
/usr/.work//work64 was downloaded |
Download File |
The file /usr/.work/work64 was downloaded and executed 43 times |
Download and Execute |
Process /usr/.work/work64 started listening on ports: 14747, 5060 and 8016 |
Listening |
Executable file /usr/bin/wget1 was modified |
Executable File Modification |
The file /tmp/xmr was downloaded and executed 7 times |
Download and Execute |
System file /etc/rc.local was modified |
System File Modification |
System file /etc/crontab was modified |
System File Modification |
Process /tmp/xmr generated outgoing network traffic to: 163.172.226.137:6666 |
Outgoing Connection |
Process /tmp/xmr attempted to access suspicious domains: poneytelecom.eu |
Access Suspicious Domain Outgoing Connection |
Process /usr/.work/work64 generated outgoing network traffic to: 106.205.55.73:22, 106.205.55.73:2222, 114.25.224.14:22, 114.25.224.14:2222, 117.55.172.88:22, 117.55.172.88:2222, 118.45.138.16:2222, 12.125.32.222:2002, 12.125.32.222:2022, 12.125.32.222:22, 12.125.32.222:222, 12.125.32.222:2222, 12.125.32.222:22222, 12.125.32.222:2223, 12.125.32.222:23, 12.125.32.222:2323, 12.125.32.222:2382, 12.125.32.222:26, 12.125.32.222:3389, 12.125.32.222:4118, 12.125.32.222:443, 12.125.32.222:444, 12.125.32.222:50000, 12.125.32.222:5555, 12.125.32.222:55554, 12.125.32.222:6000, 12.125.32.222:666, 12.125.32.222:7777, 12.125.32.222:8022, 12.125.32.222:830, 12.125.32.222:8888, 12.125.32.222:9000, 12.125.32.222:9090, 12.125.32.222:9999, 122.34.131.126:22, 122.34.131.126:2222, 123.20.222.28:22, 126.200.142.187:22, 126.200.142.187:2222, 13.164.218.92:22, 13.164.218.92:2222, 138.139.36.4:222, 138.139.36.4:23, 138.139.36.4:2382, 138.139.36.4:26, 138.139.36.4:4118, 138.139.36.4:444, 138.139.36.4:50000, 138.139.36.4:5555, 138.139.36.4:830, 146.20.132.155:22, 146.20.132.155:2222, 150.254.92.68:22, 150.254.92.68:2222, 152.18.124.221:22, 152.18.124.221:2222, 155.141.73.221:22, 155.141.73.221:2222, 163.173.97.211:22, 163.173.97.211:2222, 167.208.191.20:22, 167.208.191.20:2222, 168.53.203.56:22, 168.53.203.56:2222, 189.41.47.80:22, 189.41.47.80:2222, 198.42.90.49:22, 198.42.90.49:2222, 2.179.61.233:23, 2.179.61.233:2382, 2.179.61.233:26, 2.179.61.233:4118, 2.179.61.233:50000, 2.179.61.233:830, 20.185.14.98:22, 20.185.14.98:2222, 212.26.105.159:22, 212.26.105.159:2222, 221.219.35.101:22, 221.219.35.101:2222, 38.228.72.193:22, 38.228.72.193:2222, 56.113.25.201:22, 56.113.25.201:2222, 69.128.139.43:22, 69.128.139.43:2222, 70.223.229.20:22, 70.223.229.20:2222, 70.223.229.20:22222, 70.223.229.20:3389, 70.223.229.20:443, 70.223.229.20:55554, 70.223.229.20:9000, 75.90.224.182:22, 75.90.224.182:2222, 80.141.158.90:22, 80.141.158.90:2222, 87.21.131.25:22 and 87.21.131.25:2222 |
Outgoing Connection |
Process /usr/.work/work64 scanned port 2222 on 27 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 22 on 27 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 2222 on 27 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 22 on 27 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 attempted to access suspicious domains: myvzw.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/.work/work64 attempted to access domains: bttracker.debian.org, dht.transmissionbt.com, router.bittorrent.com and router.utorrent.com |
DNS Query |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |