IP Address: 192.164.1.73Previously Malicious
IP Address: 192.164.1.73Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
frontiernetworks.ca qwest.net tele2.lt telia.com 8.98.128.165 24.146.117.206 45.11.19.163 47.93.228.251 58.221.116.178 68.100.115.179 83.181.162.74 85.34.202.21 90.33.148.241 90.239.122.217 101.42.90.177 133.160.137.43 144.236.159.111 153.116.127.118 174.27.85.201 180.166.165.212 187.245.229.93 206.54.67.55 212.183.143.75 221.156.243.64 222.165.136.99 |
IP Address |
192.164.1.73 |
|
Domain |
- |
|
ISP |
Telekom Austria |
|
Country |
Austria |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-11 |
Last seen in Akamai Guardicore Segmentation |
2022-04-20 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /var/tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 192 times |
Download and Execute |
Process /var/tmp/ifconfig scanned port 22 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 22 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 80 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 8080 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig generated outgoing network traffic to: 101.64.84.238:2222, 103.105.12.48:1234, 104.21.25.86:443, 106.52.252.228:1234, 106.55.188.60:1234, 109.71.180.208:80, 109.71.180.208:8080, 116.225.43.137:1234, 119.163.222.60:2222, 12.218.106.246:80, 12.218.106.246:8080, 121.132.204.175:80, 121.132.204.175:8080, 128.5.220.8:2222, 133.158.237.233:80, 133.158.237.233:8080, 133.18.200.30:1234, 135.153.203.110:2222, 138.20.157.138:22, 144.199.168.192:22, 16.116.67.129:80, 16.116.67.129:8080, 162.28.13.225:80, 162.28.13.225:8080, 166.37.231.208:80, 166.37.231.208:8080, 167.162.106.131:2222, 169.75.111.48:80, 169.75.111.48:8080, 17.37.159.1:80, 17.37.159.1:8080, 172.67.133.228:443, 174.214.89.175:22, 176.117.213.86:80, 176.117.213.86:8080, 178.148.199.133:80, 178.148.199.133:8080, 178.98.64.223:80, 178.98.64.223:8080, 183.22.217.121:80, 183.22.217.121:8080, 187.67.132.45:22, 189.234.150.133:2222, 191.147.167.96:80, 191.147.167.96:8080, 208.228.72.211:80, 208.228.72.211:8080, 219.118.29.223:22, 241.101.129.167:80, 241.101.129.167:8080, 245.20.102.177:22, 251.216.183.112:80, 251.216.183.112:8080, 251.221.158.114:22, 252.23.68.87:80, 252.23.68.87:8080, 34.93.104.175:80, 34.93.104.175:8080, 37.14.114.139:22, 4.24.11.13:80, 4.24.11.13:8080, 4.35.17.231:80, 4.35.17.231:8080, 42.193.193.33:1234, 51.7.115.205:80, 51.7.115.205:8080, 51.75.146.174:443, 57.121.163.133:80, 57.121.163.133:8080, 62.244.213.47:80, 62.244.213.47:8080, 63.15.59.4:80, 63.15.59.4:8080, 64.185.12.83:80, 64.185.12.83:8080, 64.253.100.2:80, 64.253.100.2:8080, 68.66.101.128:22, 70.48.117.29:80, 70.48.117.29:8080, 82.54.230.82:80, 82.54.230.82:8080, 89.149.192.97:80, 89.149.192.97:8080, 90.144.178.66:80, 90.144.178.66:8080, 92.91.153.181:1234, 95.84.199.65:80 and 95.84.199.65:8080 |
Outgoing Connection |
Process /var/tmp/ifconfig started listening on ports: 1234, 8084 and 8180 |
Listening |
Process /var/tmp/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig attempted to access suspicious domains: attdns.com, kagoya.net, prod-infinitum.com.mx and sfr.net |
Access Suspicious Domain Outgoing Connection |
The file /var/tmp/php-fpm was downloaded and executed 21 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 7 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 2 times |
Download and Execute |
Connection was closed due to timeout |
|