IP Address: 167.86.74.135Previously Malicious
IP Address: 167.86.74.135Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Superuser Operation Human Download Operation HTTP Outgoing Connection Protect File DNS Query Bulk Files Tampering Access Suspicious Domain Successful SSH Login 11 Shell Commands Log Tampering Networking Operation SSH Download File Download and Allow Execution |
Associated Attack Servers |
files.pythonhosted.org pypi.org pypi.python.org speedtest.planet.net speedtest.ventracompanies.com st1.htva.net ventracompanies.com 52.124.34.20 69.172.142.67 71.115.150.58 106.75.133.13 151.101.1.63 151.101.2.219 151.101.64.223 151.101.192.223 162.216.234.36 198.84.60.200 199.232.96.223 216.171.180.225 |
IP Address |
167.86.74.135 |
|
Domain |
- |
|
ISP |
Contabo GmbH |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-01-21 |
Last seen in Akamai Guardicore Segmentation |
2022-08-21 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ********* - Authentication policy: White List |
Successful SSH Login |
A possibly malicious Download Operation was detected |
Download Operation Networking Operation Protect File Superuser Operation |
History File Tampering detected from /bin/bash |
Log Tampering |
Process /bin/bash attempted to access suspicious domains: dl.packetstormsecurity.net and rokabear.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /bin/bash generated outgoing network traffic to: 198.84.60.200:443 and 198.84.60.200:80 |
Outgoing Connection |
/root/mig-logcleaner11.tar.gz was downloaded |
Download File |
The file /root/mig-logcleaner/mig-logcleaner was downloaded and granted execution privileges |
Download and Allow Execution |
A possibly malicious Networking Operation was detected |
Download Operation Networking Operation Protect File Superuser Operation |
A possibly malicious Protect File was detected |
Download Operation Networking Operation Protect File Superuser Operation |
A possibly malicious Download Operation was detected |
Download Operation Networking Operation Protect File Superuser Operation |
Process /bin/bash generated outgoing network traffic to: 106.75.133.13:80 |
Outgoing Connection |
The file /root/.ssh/authorized_keys was downloaded and granted execution privileges |
|
A possibly malicious Superuser Operation was detected 2 times |
Download Operation Networking Operation Protect File Superuser Operation |
Process /usr/bin/python2.7 attempted to access domains: files.pythonhosted.org, pypi.org and pypi.python.org |
DNS Query |
Process /usr/bin/python2.7 generated outgoing network traffic to: 151.101.1.63:443, 151.101.192.223:443, 151.101.64.223:443 and 199.232.96.223:443 |
Outgoing Connection |
The file /usr/local/bin/speedtest was downloaded and granted execution privileges |
Download and Allow Execution |
The file /usr/local/bin/speedtest-cli was downloaded and granted execution privileges |
|
Process /usr/bin/python2.7 generated outgoing network traffic to: 151.101.2.219:443, 151.101.2.219:80, 162.216.234.36:8080, 216.171.180.225:8080, 52.124.34.20:8080, 69.172.142.67:8080 and 71.115.150.58:8080 |
Outgoing Connection |
Process /usr/bin/python2.7 attempted to access domains: www.speedtest.net |
DNS Query |
Process /usr/bin/python2.7 attempted to access suspicious domains: htva.net, northland.net, speedtest-syr1.northland.net, speedtest.nwrk.nj.wtsky.net, speedtest.planet.net, speedtest.ventracompanies.com, st1.htva.net and ventracompanies.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Connection was closed due to user inactivity |
|
Process /usr/bin/python2.7 performed bulk changes in {/root/.cache/pip} on 19 files |
Bulk Files Tampering |