IP Address: 159.203.47.213Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
159.203.47.213​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HTTP

Tags

Outgoing Connection HTTP Download File IDS - Web Application Attack Download and Allow Execution Inbound HTTP Request Download and Execute

Connect Back Servers

13.90.251.180 40.117.44.182 52.176.53.237 52.176.57.101 13.92.99.153 52.168.89.181 13.93.93.21 52.173.20.209 104.40.187.35 52.176.107.216 40.76.38.75 52.168.150.12 52.173.137.160 13.90.251.147 52.173.196.87 52.176.42.220 52.168.135.53 134.209.252.188 40.87.71.177 13.81.2.109 40.87.60.178 40.71.229.210 159.89.191.238 52.174.154.38 13.93.116.182 23.101.128.211 52.173.81.46 52.173.191.44 52.168.38.28 52.176.57.55

Basic Information

IP Address

159.203.47.213

Domain

-

ISP

Digital Ocean

Country

Canada

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-08-19

Last seen in Guardicore Centra

2019-05-30

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 134.209.252.188:80 2 times

Outgoing Connection

The file /tmp/mysql.sock.lock was downloaded and granted execution privileges

The file /tmp/yarn was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/d0p3x.x86 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/Tadaa was downloaded and executed

Download and Execute

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

Connection was closed due to user inactivity

Associated Files

/tmp/yarn

SHA256: d57a69b15738099ff6e7652fcd44fde5b195d42431d161c2062a5125cb2ee157

2933 bytes

/tmp/Tadaa

SHA256: 5853b239eaec7b7e0e4c97b5901e8fea7d6b8d832ea8207dd28543d8787c5ee9

66372 bytes

/tmp/c4tch_m3_if_y0u_c4n.x86

SHA256: 98ae88a433be8fb548d42cc6558fe88ed0135d513d330733826d7f476eb05d38

30100 bytes

/tmp/yarn

SHA256: 70869d03b91d56cf9da531e9a66d2607439d80591189b536ff10602426172e72

2933 bytes

/tmp/Tadaa

SHA256: 372b64998356904c7009957baa644ca09a59c0ade373abf0cb168b64f83243ef

66372 bytes

/tmp/yarn

SHA256: 2f37a724ba2261544bf0c5de96d6a96a82220532f48f79f7446db6f7af0e50d4

2593 bytes

/tmp/d0p3x.x86

SHA256: 2b9b99ab080708609c40667f59e59cd0aaede35f4fb8eb70a45aa7a4cedc639e

30100 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 159.203.47.213​Previously Malicious