IP Address: 173.234.168.44Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
173.234.168.44​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

Successful SSH Login Human Package Install Download and Execute Malicious File Outgoing Connection Access Suspicious Domain Bulk Files Tampering DNS Query 53 Shell Commands Scheduled Task Creation SSH Download Operation HTTP SFTP Download File Log Tampering

Associated Attack Servers

ip-37-187-95.eu dag2018dag.000webhostapp.com

145.14.144.140 145.14.145.72 145.14.145.88 37.187.95.110 145.14.145.68 145.14.145.62

Basic Information

IP Address

173.234.168.44

Domain

-

ISP

Nobis Technology Group, LLC

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-04-05

Last seen in Guardicore Centra

2018-04-26

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget attempted to access domains: dag2018dag.000webhostapp.com

DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.62:443

Outgoing Connection

/lib/firmware.tgz was downloaded

Download File

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: Correct Password 3 times

Successful SSH Login

/root/.bash_history was downloaded

Download File

History File Tampering detected from /usr/lib/openssh/sftp-server on the following logs: /root/.bash_history

Log Tampering

/lib/.firmware/modules/config.json was downloaded 2 times

Download File

The file /lib/.firmware/h64 was downloaded and executed

Download and Execute

The file /lib/.firmware/modules/ld-linux-x86-64.so.2 was downloaded and executed 6 times

Download and Execute

Process /lib/.firmware/modules/ld-linux-x86-64.so.2 generated outgoing network traffic to: 37.187.95.110:80

Outgoing Connection

Process /lib/.firmware/modules/ld-linux-x86-64.so.2 attempted to access suspicious domains: ip-37-187-95.eu

Outgoing Connection Access Suspicious Domain

Log File Tampering detected from /bin/bash on the following logs: /var/log/apt/apt.log, /var/log/dmesg, /var/log/faillog, /var/log/samba/log., /var/log/dpkg.log, /var/log/apt/term.log, /var/log/apt/history.log, /var/log/alternatives.log, /var/log/.auth.log, /var/log/btmp, /var/log/fsck/checkroot, /var/log/lastlog, /var/log/wtmp, /var/log/bootstrap.log and /var/log/fsck/checkfs

Log Tampering

History File Tampering detected from /bin/bash on the following logs: /root/.bash_history

Log Tampering

Connection was closed due to timeout

/lib/.firmware/modules/libcrypto.so.1.0.0 was identified as malicious by YARA according to rules: Malw Miscelanea Linux and Crypto Signatures

Malicious File

/lib/.firmware/modules/x was identified as malicious by YARA according to rules: Crypto Signatures

Malicious File

/lib/.firmware/log was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/lib/.firmware/h64 was identified as malicious by YARA according to rules: Malw Miscelanea Linux and Suspicious Strings

Malicious File

/lib/.firmware/modules/libpthread.so.0 was identified as malicious by YARA according to rules: Malw Miscelanea Linux

Malicious File

/lib/.firmware/modules/libhwloc.so.5 was identified as malicious by YARA according to rules: Malw Miscelanea Linux and Crypto Signatures

Malicious File

/lib/.firmware/h32 was identified as malicious by YARA according to rules: Maldoc Somerules

Malicious File

Process /bin/tar performed bulk changes in {/lib} on 40 files

Bulk Files Tampering

Associated Files

/var/tmp/ /systemd-private-484004451d0046639858c0420ad0891c-systemd-timesyncd.service/security

SHA256: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf

838583 bytes

/var/tmp/usb3.0.tgz

SHA256: 7fd75f98062de7ebdbb079427c3e2a5b2aa29b68a4dd079ea482e1801952eb23

12458261 bytes

/root/firmware.tgz

SHA256: ab5a550d294b2fd5583ff4b9f6bfdc0cf2d74e0ee29332fc725f1ef1d95e98fd

13238881 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 173.234.168.44​Previously Malicious