IP Address: 162.222.61.218Malicious
IP Address: 162.222.61.218Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login Download and Execute Download and Allow Execution SSH Superuser Operation |
Associated Attack Servers |
amazonaws.com dns.google ocn.ne.jp seatelecom.com.br telenet.be virginm.net xmrpool.eu your-server.de 1.1.1.1 8.8.8.8 13.83.38.193 18.212.180.57 21.132.39.172 31.148.131.39 36.77.94.79 43.242.247.139 45.235.222.242 49.232.205.83 51.75.146.174 81.68.238.98 82.156.179.219 82.157.166.102 84.196.223.6 86.23.6.213 103.9.134.247 111.124.73.202 120.185.43.142 144.106.250.216 153.235.118.20 167.235.229.201 172.64.163.15 208.8.56.234 241.191.141.159 |
IP Address |
162.222.61.218 |
|
Domain |
- |
|
ISP |
- |
|
Country |
Canada |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2023-03-11 |
Last seen in Akamai Guardicore Segmentation |
2023-06-11 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 185 times |
Download and Execute |
Process /tmp/ifconfig scanned port 22 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 101.42.225.97:1234, 108.174.133.39:80, 108.174.133.39:8080, 109.178.8.70:2222, 110.206.168.114:80, 110.206.168.114:8080, 12.70.106.174:80, 12.70.106.174:8080, 128.202.132.230:80, 128.202.132.230:8080, 132.251.174.46:80, 132.251.174.46:8080, 137.238.105.164:80, 137.238.105.164:8080, 138.122.231.123:22, 142.152.16.251:80, 142.152.16.251:8080, 147.66.10.138:2222, 148.75.231.11:22, 149.105.112.151:80, 149.105.112.151:8080, 15.238.35.148:2222, 150.121.8.71:22, 151.245.27.4:22, 158.221.57.189:80, 158.221.57.189:8080, 166.26.51.161:80, 166.26.51.161:8080, 168.104.196.82:80, 168.104.196.82:8080, 173.219.48.194:80, 173.219.48.194:8080, 174.27.85.201:1234, 18.160.119.170:80, 18.160.119.170:8080, 181.98.159.91:80, 181.98.159.91:8080, 186.234.11.246:80, 186.234.11.246:8080, 19.159.25.40:80, 19.159.25.40:8080, 2.68.4.39:2222, 201.19.34.97:22, 204.105.143.244:80, 204.105.143.244:8080, 211.89.213.160:80, 211.89.213.160:8080, 212.57.36.20:1234, 216.94.200.124:2222, 217.26.38.100:22, 220.171.188.193:80, 220.171.188.193:8080, 240.137.236.183:80, 240.137.236.183:8080, 242.236.225.108:22, 250.183.239.33:80, 250.183.239.33:8080, 252.177.118.88:22, 26.58.120.247:2222, 32.35.244.98:80, 32.35.244.98:8080, 37.77.145.197:80, 37.77.145.197:8080, 47.37.138.79:1234, 49.233.159.222:1234, 55.196.49.239:80, 55.196.49.239:8080, 62.12.106.5:1234, 72.8.61.75:80, 72.8.61.75:8080, 73.92.5.247:2222, 76.24.32.250:80, 76.24.32.250:8080, 77.96.160.199:80, 77.96.160.199:8080, 8.8.8.8:443, 81.68.238.98:1234, 82.209.112.178:80, 82.209.112.178:8080, 87.140.180.154:80, 87.140.180.154:8080, 9.143.6.95:22, 91.152.7.69:80, 91.152.7.69:8080, 93.71.3.155:80, 93.71.3.155:8080, 97.189.51.9:80 and 97.189.51.9:8080 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8083 and 8186 |
Listening |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig attempted to access suspicious domains: cosmote.net, qwest.net and tre.se |
Outgoing Connection Access Suspicious Domain |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
The file /tmp/php-fpm was downloaded and executed 48 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 26 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 3 times |
Download and Execute |
Connection was closed due to timeout |
|
/var/tmp/apache2 |
SHA256: 10aaadaf66ae0b4f687aa7239e1b0b6959973c5d0c973a7a34db0ac78f070078 |
2875664 bytes |