IP Address: 192.144.239.96Previously Malicious
IP Address: 192.144.239.96Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Port 22 Scan Access Suspicious Domain SSH Download and Allow Execution Successful SSH Login Listening Port 2222 Scan 27 Shell Commands Download and Execute Outgoing Connection |
Associated Attack Servers |
ccc.net.il gvt.net.br orange-business.com tds.net 3.112.27.236 41.228.22.107 45.143.136.213 47.91.87.67 50.247.94.90 73.254.114.94 90.249.182.105 94.206.102.130 100.0.197.18 109.226.24.194 121.156.203.3 122.51.48.52 140.127.211.177 157.175.46.235 166.168.111.151 166.255.227.179 177.135.103.54 195.123.223.73 216.165.165.46 |
IP Address |
192.144.239.96 |
|
Domain |
- |
|
ISP |
Tencent cloud computing |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-06-05 |
Last seen in Akamai Guardicore Segmentation |
2020-09-30 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password |
Successful SSH Login |
The file /root/ifconfig was downloaded and executed 13 times |
Download and Execute |
Process /root/ifconfig scanned port 22 on 41 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 22 on 43 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 2222 on 41 IP Addresses |
Port 22 Scan Port 2222 Scan |
The file /root/nginx was downloaded and executed 90 times |
Download and Execute |
Process /root/ifconfig started listening on ports: 1234 |
Listening |
Process /root/ifconfig generated outgoing network traffic to: 100.0.197.18:1234, 101.88.248.16:2222, 109.232.10.253:2222, 110.147.44.50:2222, 110.3.151.17:22, 110.3.151.17:2222, 111.67.39.32:22, 111.67.39.32:2222, 111.85.10.175:2222, 121.156.203.3:1234, 129.176.152.218:2222, 130.130.112.109:22, 139.134.2.110:2222, 141.55.85.174:2222, 157.99.58.154:2222, 161.194.85.172:22, 161.194.85.172:2222, 161.228.156.75:22, 161.228.156.75:2222, 164.175.35.3:22, 164.175.35.3:2222, 168.199.184.73:2222, 171.171.164.251:2222, 171.206.238.35:22, 171.206.238.35:2222, 172.171.199.2:22, 172.171.199.2:2222, 173.239.24.197:22, 174.73.115.187:22, 174.73.115.187:2222, 18.49.28.233:22, 181.240.76.244:22, 181.240.76.244:2222, 185.17.198.16:2222, 185.237.136.167:22, 192.144.239.96:1234, 194.117.90.202:2222, 197.59.34.57:22, 197.59.34.57:2222, 2.151.175.117:22, 2.151.175.117:2222, 2.217.95.13:22, 2.217.95.13:2222, 2.53.92.127:22, 2.53.92.127:2222, 200.234.78.72:2222, 206.194.176.110:22, 208.187.91.178:2222, 214.189.40.175:22, 214.189.40.175:2222, 215.138.206.43:2222, 217.46.36.209:22, 218.93.239.44:1234, 220.179.231.188:1234, 220.210.7.23:22, 220.210.7.23:2222, 221.133.171.178:2222, 222.87.201.98:22, 222.87.201.98:2222, 24.120.145.122:22, 24.120.145.122:2222, 242.116.168.72:22, 242.19.22.220:22, 242.19.22.220:2222, 243.172.61.114:22, 243.172.61.114:2222, 249.19.114.250:22, 249.19.114.250:2222, 25.46.175.30:22, 250.4.167.158:22, 250.4.167.158:2222, 252.74.75.185:22, 27.200.227.47:22, 27.200.227.47:2222, 3.112.27.236:1234, 30.222.150.252:22, 30.222.150.252:2222, 33.74.132.36:22, 33.74.132.36:2222, 50.250.21.164:1234, 62.231.215.109:22, 66.87.149.253:22, 66.87.149.253:2222, 78.205.126.144:22, 82.195.127.32:22, 82.195.127.32:2222, 88.191.99.64:22, 89.154.88.98:22, 89.154.88.98:2222 and 89.34.231.225:22 |
Outgoing Connection |
Process /root/ifconfig scanned port 2222 on 43 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /root/ifconfig attempted to access suspicious domains: comcastbusiness.net |
Access Suspicious Domain Outgoing Connection |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 7 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 9 times |
Download and Execute |
The file /root/nginx was downloaded and executed 48 times |
Download and Execute |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 13 times |
Download and Execute |
Connection was closed due to timeout |
|