IP Address: 18.212.180.57Malicious
IP Address: 18.212.180.57Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 8080 Scan Download File 7 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Download and Execute SCP Outgoing Connection Listening Download and Allow Execution |
Associated Attack Servers |
3s.pl amazonaws.com attdns.com centertel.pl cloudhost.asia dns.google emtagas.com.bo herza.id ip-54-38-175.eu jio.com mobtelecom.com.br ocn.ne.jp online.tj.cn ovo.sc packetexchange.net qwest.net seatelecom.com.br telenet.be telenormobil.no tie.cl tokai.or.jp virginm.net watchfront.net.uk xmrpool.eu your-server.de 1.1.1.1 1.14.166.163 1.15.13.216 1.15.102.11 1.133.174.231 2.149.75.247 3.91.21.110 3.110.236.209 3.129.104.32 3.201.125.165 5.83.119.36 6.247.73.6 8.8.8.8 12.23.46.220 12.153.209.78 13.83.38.193 14.139.161.246 14.176.13.127 15.116.78.151 15.230.196.152 16.39.107.119 18.234.239.64 20.58.184.140 20.64.226.15 21.132.39.172 24.83.199.240 25.71.18.198 25.117.74.23 26.168.38.152 |
IP Address |
18.212.180.57 |
|
Domain |
- |
|
ISP |
Amazon.com |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-02 |
Last seen in Akamai Guardicore Segmentation |
2023-05-24 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 5 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 6 times |
Superuser Operation |
/tmp/ifconfig was downloaded |
Download File |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 50 times |
Download and Execute |
Process /root/apache2 generated outgoing network traffic to: 1.1.1.1:443, 1.14.166.163:1234, 103.152.119.126:1234, 104.21.25.86:443, 104.98.64.39:80, 104.98.64.39:8080, 115.100.249.249:80, 120.232.251.85:1234, 120.232.251.85:22, 130.232.61.197:80, 135.104.155.79:80, 142.250.191.228:443, 149.157.2.236:80, 149.157.2.236:8080, 158.250.174.120:80, 158.250.174.120:8080, 165.109.173.51:80, 177.187.236.55:80, 177.187.236.55:8080, 18.212.180.57:1234, 182.83.119.208:80, 186.70.202.46:80, 187.229.63.109:80, 187.229.63.109:8080, 196.111.185.80:80, 196.111.185.80:8080, 21.27.87.214:80, 210.14.80.133:80, 210.148.111.7:80, 210.148.111.7:8080, 214.63.105.95:80, 214.63.105.95:8080, 215.151.230.194:80, 216.2.199.93:80, 216.2.199.93:8080, 219.114.35.201:80, 219.114.35.201:8080, 219.175.185.146:80, 221.56.155.135:80, 223.162.216.94:80, 223.162.216.94:8080, 243.219.178.19:80, 29.124.117.194:80, 51.75.146.174:443, 52.193.145.47:80, 58.126.222.65:80, 58.126.222.65:8080, 62.68.104.136:80, 64.61.253.5:80, 64.61.253.5:8080, 68.100.34.221:80, 69.109.150.145:80, 69.109.150.145:8080, 79.205.199.37:80, 8.8.8.8:443, 82.157.131.41:1234, 85.202.113.143:80 and 85.202.113.143:8080 |
Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8088 and 8184 |
Listening |
Process /root/apache2 scanned port 80 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan |
Process /root/apache2 scanned port 8080 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan |
Process /root/apache2 scanned port 80 on 15 IP Addresses |
Port 8080 Scan Port 80 Scan |
The file /root/php-fpm was downloaded and executed 4 times |
Download and Execute |
Process /root/apache2 scanned port 8080 on 15 IP Addresses |
Port 8080 Scan Port 80 Scan |
Process /root/php-fpm generated outgoing network traffic to: 120.232.251.85:22 |
Outgoing Connection |
The file /var/tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 58 times |
Download and Execute |
Process /var/tmp/ifconfig started listening on ports: 1234, 8086, 8088 and 8185 |
Listening |
Connection was closed due to timeout |
|
/var/tmp/php-fpm |
SHA256: 10aaadaf66ae0b4f687aa7239e1b0b6959973c5d0c973a7a34db0ac78f070078 |
2875664 bytes |