IP Address: 176.99.12.209Previously Malicious
IP Address: 176.99.12.209Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Port 2222 Scan 28 Shell Commands SSH Listening Port 22 Scan Successful SSH Login Download and Allow Execution Port 1234 Scan Download and Execute |
Associated Attack Servers |
ambit24.net fronteradigital.net.ar moldtelecom.md orange-business.com regruhosting.ru 3.122.60.196 13.59.13.98 13.59.67.195 13.251.89.210 50.118.182.234 54.93.55.80 60.172.206.11 71.62.129.30 89.105.117.246 92.115.102.133 93.40.179.205 100.0.197.18 107.187.122.10 123.124.150.10 124.156.245.155 138.219.235.200 140.127.211.177 151.93.23.121 166.168.111.151 166.255.227.179 168.196.202.8 169.54.161.231 170.210.215.142 178.212.222.102 181.48.27.93 188.38.175.137 200.4.201.97 |
IP Address |
176.99.12.209 |
|
Domain |
- |
|
ISP |
Domain names registrar REG.RU, Ltd |
|
Country |
Russian Federation |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-07-31 |
Last seen in Akamai Guardicore Segmentation |
2020-08-07 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List |
Successful SSH Login |
Process /usr/sbin/sshd scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /bin/nc.openbsd scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /usr/sbin/sshd scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /usr/sbin/sshd scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /bin/nc.openbsd scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /root/nginx scanned port 1234 on 16 IP Addresses |
Port 1234 Scan Port 22 Scan Port 2222 Scan |
Process /root/nginx scanned port 22 on 16 IP Addresses |
Port 1234 Scan Port 22 Scan Port 2222 Scan |
Process /root/nginx scanned port 2222 on 16 IP Addresses |
Port 1234 Scan Port 22 Scan Port 2222 Scan |
Process /root/nginx scanned port 1234 on 20 IP Addresses |
Port 1234 Scan Port 22 Scan Port 2222 Scan |
Process /root/nginx scanned port 1234 on 19 IP Addresses |
Port 1234 Scan Port 22 Scan Port 2222 Scan |
Process /usr/sbin/sshd scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /usr/sbin/sshd scanned port 1234 on 16 IP Addresses 2 times |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 16 IP Addresses 2 times |
Port 1234 Scan |
Process /bin/nc.openbsd scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password 8 times |
Successful SSH Login |
The file /root/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /root/nginx was downloaded and executed 84 times |
Download and Execute |
Process /root/nginx scanned port 22 on 20 IP Addresses |
Port 1234 Scan Port 22 Scan Port 2222 Scan |
Process /root/nginx scanned port 2222 on 20 IP Addresses |
Port 1234 Scan Port 22 Scan Port 2222 Scan |
Process /root/nginx scanned port 22 on 19 IP Addresses |
Port 1234 Scan Port 22 Scan Port 2222 Scan |
Process /root/nginx started listening on ports: 1234 |
Listening |
Process /root/nginx generated outgoing network traffic to: 100.0.197.18:1234, 100.61.245.128:2222, 106.115.168.44:22, 109.73.103.162:1234, 111.19.129.48:22, 114.112.120.64:22, 114.112.120.64:2222, 117.238.121.117:22, 117.238.121.117:2222, 119.161.246.27:2222, 120.13.230.193:22, 122.43.162.20:22, 13.92.247.241:1234, 133.73.63.204:22, 134.44.110.132:2222, 135.52.250.107:2222, 139.198.191.245:1234, 139.199.163.77:1234, 145.177.84.61:22, 15.180.191.12:2222, 156.157.99.169:22, 163.91.65.204:22, 166.255.227.179:1234, 170.210.215.142:1234, 171.87.219.34:2222, 176.99.12.209:1234, 181.97.21.217:2222, 199.79.175.166:22, 20.213.83.150:22, 210.3.96.210:2222, 218.93.239.44:1234, 219.139.144.91:2222, 220.107.123.92:22, 220.179.231.188:1234, 249.233.139.76:22, 30.131.183.63:22, 30.131.183.63:2222, 5.34.116.107:2222, 50.118.182.234:1234, 51.75.31.39:1234, 54.118.211.141:22, 54.93.55.80:1234, 56.47.25.89:22, 56.47.25.89:2222, 60.98.84.58:22, 60.98.84.58:2222, 61.72.1.105:2222, 66.48.81.201:2222, 8.148.8.194:22, 89.105.117.246:1234, 94.159.156.53:2222 and 95.233.189.125:2222 |
|
Process /root/nginx scanned port 2222 on 19 IP Addresses |
Port 1234 Scan Port 22 Scan Port 2222 Scan |
The file /root/php-fpm was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|