IP Address: 185.234.216.142Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
185.234.216.142​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

Service Configuration 7 Shell Commands Read Password Secrets DNS Query Download and Allow Execution Service Start Access Suspicious Domain Outgoing Connection SSH Log Tampering Download and Execute Package Install User Created Service Deletion Scheduled Task Creation HTTP Service Creation Successful SSH Login Download Operation Malicious File Service Stop Users and Groups Download File Bulk Files Tampering

Associated Attack Servers

hardsofindo.com EastUS20lin93 canonical.com archive.ubuntu.com altervista.org nessus.at _http._tcp.archive.ubuntu.com

180.76.250.36 91.189.88.152 103.247.10.141 217.66.177.110 88.99.100.12 212.232.25.155

Basic Information

IP Address

185.234.216.142

Domain

-

ISP

World Hosting Farm Limited

Country

Ireland

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-02-25

Last seen in Guardicore Centra

2020-05-24

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: White List

Successful SSH Login

History File Tampering detected from /bin/bash 6 times

Log Tampering

A possibly malicious Download Operation was detected 2 times

Download Operation Package Install

Process /usr/bin/wget generated outgoing network traffic to: altervista.org:24525 and altervista.org:21

Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: altervista.org:21 and altervista.org:19321

Outgoing Connection

The file /root/keybuni was downloaded and granted execution privileges 2 times

Download and Allow Execution

Process /usr/bin/wget generated outgoing network traffic to: altervista.org:22246 and altervista.org:21

Outgoing Connection

/usr/cpu/cpu.tgz was downloaded

Download File

The file /usr/cpu/bin/t was downloaded and executed

Download and Execute

The file /usr/cpu/bin/sh was downloaded and executed 7 times

Download and Execute

Process /usr/cpu/bin/sh generated outgoing network traffic to: nessus.at:5555

Outgoing Connection

Process /usr/cpu/bin/sh attempted to access suspicious domains: nessus.at

Outgoing Connection Access Suspicious Domain

Process /usr/bin/wget generated outgoing network traffic to: altervista.org:37302 and altervista.org:21

Outgoing Connection

The file /bin/mig was downloaded and executed 2 times

Download and Execute

Process /usr/bin/wget generated outgoing network traffic to: altervista.org:49274 and altervista.org:21

Outgoing Connection

A possibly malicious Package Install was detected

Download Operation Package Install

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http generated outgoing network traffic to: canonical.com:80

Outgoing Connection

User smmta was created with the password *********

User Created

User smmsp was created with the password *********

User Created

Service sendmail was stopped

Service Stop

The file /etc/mail/tls/starttls.m4 was downloaded and granted execution privileges

Download and Allow Execution

The file /etc/mail/Makefile was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/lib/sm.bin/sendmail attempted to access domains: EastUS20lin93 4 times

DNS Query

Service sendmail.dpkg-new was created

Service Creation

Service K01sendmail was created

Service Creation

Service S02sendmail was created

Service Creation

Service sendmail was started

Service Start

Connection was closed due to timeout

/usr/cpu/bin/sh was identified as malicious by YARA according to rules: Malw Xmrig Miner, Crypto Signatures and 000 Common Rules

Malicious File

/usr/cpu/bin/t was identified as malicious by YARA according to rules: 000 Common Rules and Malw Xhide

Malicious File

/bin/mig was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Process /usr/bin/dpkg performed bulk changes in {/} on 1014 files

Bulk Files Tampering

Process /usr/bin/dpkg performed bulk changes in {/var/lib/dpkg/updates} on 53 files

Bulk Files Tampering

Associated Files

/usr/cpu/bin/t

SHA256: c64a24c0373afb7ac72b24bc775e4aa4c738dd6fa5a4e533c39a89fe2cf65190

14304 bytes

/root/mig

SHA256: 0fb867265cfb68026a1fff1a277dfb44de08a66140f674788400bbfe4a9bbf42

26944 bytes

/usr/cpu/bin/sh

SHA256: d5fb10a90734f11ac11e3c331d4e2da211c854e666e9db536b89290d0ee981dd

1672664 bytes

/usr/bin/dotlockfile.dpkg-new

SHA256: 6505aebce990f5c021e5e1a0fe9ee50ce3d4e4416a7f204e7691e680a8796c48

14856 bytes

/usr/cpu/cpu.tgz

SHA256: 29cc6544e7e1a170ac2273f0e32b335321eb6dfaf2325f9e8677aa392b2b250b

647597 bytes

/usr/scn.tgz

SHA256: 0b13594ddfa42b3af3e331b00bcb29c12aeef4e4192eea254741d7bff0bc29aa

1460277 bytes

/usr/share/bug/sensible-mda/script.dpkg-new

SHA256: 43211487a1b47fb6d1d089af877d19557e216c36bdc54cd1460e66a981d9f1c2

1166 bytes

/usr/share/sendmail/doublebounce.pl.dpkg-new

SHA256: 5d389d4384ff6dd4c89daa380de7b1b66f9ff3d12c2c5fde23be06ed3e042aa2

6295 bytes

/usr/share/sendmail/update_db.dpkg-new

SHA256: 6e5060d38400ef45f909e35f56d72f535fdeddfd67b78affe2390b3b529b304a

15603 bytes

/usr/share/sendmail/update_mc.dpkg-new

SHA256: 37e67490443d8d104294bd50bf9e0188b4061240d727edbaaee7abf2b0f91c4c

10527 bytes

/usr/share/sendmail/examples/network/if-post-down.d/sendmail.dpkg-new

SHA256: f8af6ff704efa7680ab704a4235780919916852296b4aa55f285c53778440412

876 bytes

/usr/share/sendmail/examples/network/if-up.d/sendmail.dpkg-new

SHA256: 72339e8e6f17a4ae5ebd71ed944faad3f374c07a37cd1f469e29bdd2b7f1bed8

1671 bytes

/usr/share/sendmail/examples/ppp/ip-up.d/sendmail.dpkg-new

SHA256: 46b2641f4b4f250b5d1a94b71564f3ef706c5a04fd7da4449f132feb42612f88

1309 bytes

/usr/share/sendmail/examples/ppp/ip-down.d/sendmail.dpkg-new

SHA256: eb6b0275f43e74286c6e4c2785f96adbc1048e2a589b486a6a6047e7577ad701

1081 bytes

/usr/share/sendmail/examples/dhcp/dhclient-exit-hooks.d/sendmail.dpkg-new

SHA256: 7ba0ed3e230e32e1bf5e0e35c874d18379a734b86107489ff198f285a59077a0

1375 bytes

/usr/share/sendmail/examples/passwd-to-alias.dpkg-new

SHA256: 8a0024e3652d6e949ea474269ec7f7aadca17af7b637d12de463ff0f2b4d0822

871 bytes

/usr/share/sendmail/examples/milter/Makefile.dpkg-new

SHA256: d65726e8d6e8fbb7bbf3c14d6dbb8c7fc80ed54be5d38a1d55ea6e0cf0ed8164

401 bytes

/usr/share/sendmail/examples/resolvconf/update-libc.d/sendmail.dpkg-new

SHA256: 76063a36768c46fc0d4eb3eb91de3da0d129a9f6e7851d3954749ffd79349531

392 bytes

/usr/share/sendmail/update_sendmail.dpkg-new

SHA256: e08f067eab51cf06b737f31f11cb7487f566128a2e6ba7cf1131620f93eb5564

3526 bytes

/usr/share/sendmail/update_tls.dpkg-new

SHA256: 3daa091d91f0e7679de00e4f1774487da2658591bf1f590c2c34131c20708c0c

9575 bytes

/usr/share/sendmail/buildvirtuser.dpkg-new

SHA256: aaeda3fe5b366a1cc21cfc13343c5c847423090afc0eea8a0195144889842950

6426 bytes

/usr/share/sendmail/Parse_conf.pm.dpkg-new

SHA256: 23eedf58551789ac234ad032c38e18ad0b3696b244038c5a9886b698cf34f55a

30085 bytes

/usr/share/sendmail/update_ldap.dpkg-new

SHA256: 92f3f8a4142d9a7af45c25f5db86704b4aed1d9b8fc30923dc522346158e4406

3565 bytes

/usr/share/sendmail/smcontrol.pl.dpkg-new

SHA256: 74d861a9cd1e0d1638d5af8dccccb2827b249c06f59e6fe8dce98a8b90845e3c

7579 bytes

/usr/share/sendmail/update_authm4.dpkg-new

SHA256: f397d679c222c3fcb94f6a613753c3a26c01cefffb37d2db58ee6b90de47f257

8030 bytes

/usr/share/sendmail/qtool.pl.dpkg-new

SHA256: 72d9261b4e408703fbbae7152dd8532a8beeee2505b0f124f3a9a7be85251536

24659 bytes

/usr/share/sendmail/update_mk.dpkg-new

SHA256: 42e53842ed063c2af15f40f2f7952d0296acfdfc41efb21896fd9fbc2388149c

21237 bytes

/usr/share/sendmail/update_tcpd.dpkg-new

SHA256: df1dcb91c799220c0199437bb04c7179f1b582e810ac2687622ace53b19d2d36

1977 bytes

/usr/share/sendmail/sendmail.dpkg-new

SHA256: 2e23edd1ad87fd46c28956c5d3a0337e298624eccc786c3d48b363ced98ed325

32342 bytes

/usr/share/sendmail/update_auth.dpkg-new

SHA256: ba573cb016b4a8851df44f2f04d59843a48059cdaa14bb63d13d47eb60dbd2a0

10166 bytes

/usr/share/sendmail/Parse_mc.pm.dpkg-new

SHA256: f49c7032ac6636fd06f4308ff02810cc9f5600ec2ef95bce80742a71fdbd7e77

32352 bytes

/usr/share/sendmail/parse_mc.dpkg-new

SHA256: 3f8067677a0a2b51d5bd5c24b3b3e5a4d4fec655416884bbcc8ea965383ea6d3

2839 bytes

/usr/share/sendmail/update_notices.dpkg-new

SHA256: 6966c65efb374b44a958284561972b2e27e86e2a27c780c10d0b20e30c1d65e0

7366 bytes

/usr/share/sendmail/dynamic.dpkg-new

SHA256: 23569508df5a4b9a851b1409c6046341b9371d31baa8fe111b9e6d570ed72f57

12571 bytes

/usr/share/sendmail/update_tlsm4.dpkg-new

SHA256: 801dea52faf225dca48f1f70b3ea0602264626fdcdedc46313c3bd40b520d80d

7898 bytes

/usr/share/sendmail/update_conf.dpkg-new

SHA256: 2052ad505d498a7dc2e7870dfc230913cfe9cc30d08b05b94cfe867f7cfb8605

15539 bytes

/usr/share/sendmail/update_sys.dpkg-new

SHA256: afa1a31790f55d858de345a0a045e32bc0f179ee17f4da528c120e4e7e380b51

8060 bytes

/usr/share/sendmail/update_smrsh.dpkg-new

SHA256: 99f6b2fabdb2dcdf574ca5777614f88ad2051633e0df168c184d75529b8c063c

2479 bytes

/usr/bin/expn.dpkg-new

SHA256: 02cba17417be135bc402ccdd2bbf96f4030d4d623c749333bd0ecbd8cad46206

36889 bytes

/usr/sbin/etrn.dpkg-new

SHA256: d2a659377e832569dece2f62b8f00c7ba14c7e72ee91451a47d4c271dd9ae330

6098 bytes

/usr/sbin/checksendmail.dpkg-new

SHA256: 75a15f6adcc39a6d7f108b7fc2ae2dd913481736d43fc3e17aec4c668bb34e18

23572 bytes

/usr/sbin/sendmailconfig.dpkg-new

SHA256: 938f6457fea726cf83084f9e0bd14dcfd1dd351317725c58dd64df78e12a46c8

21677 bytes

/usr/share/sendmail/cf/sh/makeinfo.sh.dpkg-new

SHA256: c08adeacb8601319fe8112b52eaa4dd0bbd3d3da607c874151a617f79b19cf7e

1124 bytes

/usr/lib/sm.bin/praliases.dpkg-new

SHA256: 8b5a55bba88f8e42cf9a4d5b0637b496c709dc83a514293962b6a3456ff413de

91104 bytes

/usr/lib/sm.bin/editmap.dpkg-new

SHA256: cc1368d87c5c5548fae3a7f5c934a7d5a450e8ba27bb3d7a9f1666d4edff715a

87008 bytes

/usr/lib/sm.bin/mailstats.dpkg-new

SHA256: 7e9cebd2b7a0b47e3c12cf505e26f16c9776388063c8b2d705a559fa9c880a01

74656 bytes

/usr/lib/sm.bin/smrsh.dpkg-new

SHA256: 57cf7f217483e2d0d103feae11416baa98f2ac3a65e4db65ca26cc16dbe00a05

70560 bytes

/usr/lib/sm.bin/makemap.dpkg-new

SHA256: 0dbbf54a8e905a2bdf04cbad60d8f7a44d89bca9f10de706aa9bbfdd153af3f0

91104 bytes

/usr/lib/sm.bin/mail.local.dpkg-new

SHA256: 464afdf25ecc47bb39aba38d9f85f17267a4538c2b75eea6332ef17ad1076362

99488 bytes

/usr/lib/sm.bin/sendmail.dpkg-new

SHA256: c2ceb6414dc68d895ec217a089280fc112642570cb513544836b48383cde5f4b

823744 bytes

/usr/lib/sm.bin/vacation.sendmail.dpkg-new

SHA256: 3fd7a5f300809bb1cb7d43c83350ee1e874eab8104bfdedac2b5ba577a54edf8

116096 bytes

/etc/init.d/sendmail.dpkg-new

SHA256: 686f5c901c59797f2d063a99255739a66b8cb99a6f1d77e75aa77f963d291fdc

33801 bytes

/etc/cron.daily/sendmail.dpkg-new

SHA256: e6f7f07463fcabc7ced8894aeca2abafd94018d283f3b704fc304951489e7075

3302 bytes

/usr/bin/mailstat.dpkg-new

SHA256: a895fa48862c1c218fb61ad725213724e885c6e30a182f0bcbc03865d206e9ab

5859 bytes

/usr/bin/lockfile.dpkg-new

SHA256: 93ca36b4aedc8b2c2e09d067e08c9b0e6264024f5b2359117286bddd74f890af

18760 bytes

/usr/bin/formail.dpkg-new

SHA256: 802245c3bd8e5059fddf3fd2d472bcb26f98274e14530ddcd873be0db72c366a

39512 bytes

/usr/bin/procmail.dpkg-new

SHA256: bbb74733c88e0ae5b9b834e0501d485ff2e8606365cf816f82cdd868fc11adf2

89288 bytes

/usr/sbin/sensible-mda.dpkg-new

SHA256: f7bff636f62335525913d542ed7e2e508c37931a4bfa2e62ed4c5a58f7fbfbb4

10232 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 185.234.216.142​Malicious