IP Address: 159.65.44.157Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
159.65.44.157​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HadoopYARN

Tags

HTTP Log Tampering HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Download File Inbound HTTP Request Service Stop

Connect Back Servers

dhcp

144.217.149.61 40.117.44.182 52.166.70.254 52.186.127.89 13.90.98.228 137.116.195.72 13.69.86.134 40.68.244.223 52.174.52.111 52.232.126.80 13.90.100.161 149.61.33.0 52.168.169.156 40.121.222.121 52.170.101.192 13.73.167.164 13.68.208.174 52.233.143.163 13.81.220.89 40.71.214.242 52.174.17.41 40.114.243.66 52.166.59.19 13.92.179.136 13.94.152.174 61.53.0.0 13.73.165.162 13.73.166.169 137.135.80.180 13.82.50.132

Basic Information

IP Address

159.65.44.157

Domain

-

ISP

Digital Ocean

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-10-07

Last seen in Guardicore Centra

2018-10-27

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 159.65.44.157:80

Outgoing Connection

The file /tmp/Execution.x86 was downloaded and executed 16 times

Download and Execute

Process /tmp/Execution.x86 generated outgoing network traffic to: 159.65.44.157:23

Outgoing Connection

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

Service iptables was stopped

Service Stop

Service firewalld was stopped

Service Stop

Log File Tampering detected from /bin/rm on the following logs: /var/log/apt/apt.log, /var/log/dmesg, /var/log/faillog, /var/log/dpkg.log, /var/log/apt/term.log, /var/log/apt/history.log, /var/log/alternatives.log, /var/log/btmp, /var/log/fsck/checkroot, /var/log/lastlog, /var/log/wtmp, /var/log/bootstrap.log and /var/log/fsck/checkfs

Log Tampering

Connection was closed due to user inactivity

/tmp/Execution.x86 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Associated Files

/tmp/Execution.x86

SHA256: 20b4e9940b7414b57f4cab056a330746a0e611aa396c863ccfea6e55f520be7b

108742 bytes

/tmp/x86

SHA256: 0e8edef1570f6580923358f110b48049402035b32e20b59895766d2727bbc961

153877 bytes

/tmp/x86

SHA256: f9fd50c34fb5a95cb6ed85a60a2935e2f6b18cdb6872da91f73c810abdf48cae

153877 bytes

/tmp/x86

SHA256: 1d94171c22f37ff580c8d2d516ff772e313a3f53d418cb0bd80b1437f98d5dcb

113933 bytes

/tmp/x86

SHA256: abd864950030475d6a0f41d3546cb766f384f2acae496c26bd1de9204cfba78d

11677 bytes

/tmp/x86

SHA256: 46f0f9de0c796c8ba1acd6c23393f638a2788c8751f9987100cc2b1893e3cfbb

120573 bytes

/tmp/x86

SHA256: efe74602f5d8b4c3ef4738c4ee59c63e6ca00fb3817d78fd1063d0a6c21ee77d

32925 bytes

/tmp/x86

SHA256: ff592b19d61aa72d6da26e15bb797f10c597ea7f48f68a63e2c141f3cb7219a3

59485 bytes

/tmp/x86

SHA256: d0cff21f4e0c3d91d3009997d21b4b4c924c98efe1b18080c8f41556be86a02d

142585 bytes

/tmp/x86

SHA256: 6cc1711206679b39ba6e4189ce1d697d2918a246b5fe0de54f84ee825c538993

32925 bytes

/tmp/x86

SHA256: 1b737b95f894b676712ef24b13803cd3b923a76510f7816bfe16e15a13cd6a1b

11677 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 159.65.44.157​Previously Malicious