IP Address: 188.25.149.250Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
188.25.149.250​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Download and Allow Execution Log Tampering Download Operation Successful SSH Login DNS Query Download File SSH Access Suspicious Domain Malicious File HTTP 8 Shell Commands Download and Execute Outgoing Connection

Connect Back Servers

adminer.net poneytelecom.eu ipscat.hi2.ro

212.129.53.225 89.42.39.67

Basic Information

IP Address

188.25.149.250

Domain

-

ISP

RCS & RDS

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-07-12

Last seen in Guardicore Centra

2017-07-12

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List

Successful SSH Login

Log File Tampering detected from /bin/bash on the following logs: /var/log/lastlog and /var/log/wtmp

Log Tampering

/var/tmp/papuc.tar was downloaded

Download File

Process /usr/bin/wget attempted to access suspicious domains: adminer.net and poneytelecom.eu

Access Suspicious Domain Outgoing Connection DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 212.129.53.225:80

Outgoing Connection

The file /var/tmp/.x was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/autorun was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/run was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/update was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/m.lev was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/inst was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/r was downloaded and granted execution privileges

Download and Allow Execution

/var/tmp/papuc.tar was identified as malicious by YARA according to rules: Maldoc Somerules, Malw Warp, Antidebug Antivm and Rat Bolonyokte

Malicious File

The file /var/tmp/.x/cron.d was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/vhosts was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/start was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/m.help was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/mech.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/bash was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.x/LinkEvents was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/bin/wget attempted to access domains: ipscat.hi2.ro

DNS Query

/var/tmp/game2.jpg was downloaded

Download File

Process /usr/bin/wget generated outgoing network traffic to: 89.42.39.67:80

Outgoing Connection

The file /var/tmp/.zlib was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/hide was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/do was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/start2 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/top was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/start was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/screen was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/s was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/end was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/pico was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/kill was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/send was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/pscan2 was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/b was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/in was downloaded and granted execution privileges

Download and Allow Execution

The file /var/tmp/.zlib/fever was downloaded and executed

Download and Execute

The file /var/tmp/.zlib/b2 was downloaded and granted execution privileges

Download and Allow Execution

Associated Files

/var/tmp/papuc.tar

SHA256: 0905b3a5257550d87323fa5b9ef5e81e1de94a0982bd0b894187472f68e1ac70

1013760 bytes

/var/tmp/game2.jpg

SHA256: ac241b8fa4592f6695b272066d9d88cbf08411b8ebc1f688c69ef82eb40e9a0d

1040100 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 188.25.149.250​Previously Malicious