IP Address: 193.112.103.112Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
193.112.103.112​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Successful SSH Login Superuser Operation Package Manager Configuration User Created Users and Groups SSH Brute Force Service Configuration Bulk Files Tampering Package Install Malicious File Service Start Scheduled Task Creation SSH 15 Shell Commands Outgoing Connection Download and Allow Execution Download and Execute Read Password Secrets DNS Query Service Stop

Connect Back Servers

_http._tcp.archive.ubuntu.com canonical.com _http._tcp.security.ubuntu.com security.ubuntu.com archive.ubuntu.com

91.189.91.23 91.189.88.161 91.189.88.152 91.189.88.149 91.189.91.26

Basic Information

IP Address

193.112.103.112

Domain

-

ISP

Tencent cloud computing

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-09

Last seen in Guardicore Centra

2018-10-07

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List (Part of a Brute Force Attempt)

SSH Brute Force Successful SSH Login

A possibly malicious Package Install was detected 7 times

Package Install Superuser Operation

A possibly malicious Superuser Operation was detected 2 times

Package Install Superuser Operation

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com 2 times

DNS Query

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.security.ubuntu.com and security.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http generated outgoing network traffic to: canonical.com:80 3 times

Outgoing Connection

Service apt-daily-upgrade.timer was stopped

Service Stop

The file /usr/lib/apt/methods/file was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/mirror was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/rsh was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/cdrom was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/store was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/http was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/copy was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/ftp was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/gpgv was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/methods/rred was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/apt-helper was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/apt/apt.systemd.daily was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/dpkg/methods/apt/update was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/dpkg/methods/apt/install was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/lib/dpkg/methods/apt/setup was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-cache was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-key was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-mark was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-cdrom was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-config was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/bug/apt/script was downloaded and granted execution privileges

Download and Allow Execution

The file /etc/kernel/postinst.d/apt-auto-removal.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

The file /etc/cron.daily/apt-compat.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/apt-get was downloaded and executed

Download and Execute

/etc/cron.daily/apt-compat.dpkg-new was scheduled to run

User _apt was created with the password *********

User Created

Service apt-daily-upgrade.timer was started

Service Start

Service apt-daily.timer was started

Service Start

Connection was closed due to timeout

/usr/lib/apt/solvers/dump was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_xenial-security_multiverse_i18n_Translation-en was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/usr/lib/apt/methods/http was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-mark was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/gpgv was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-ftparchive was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/x86_64-linux-gnu/libapt-pkg.so.5.0.0 was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Crypto Signatures and 000 Common Rules

Malicious File

/usr/bin/apt-sortpkgs was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/store was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/rsh was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/apt-helper was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/x86_64-linux-gnu/libapt-private.so.0.0.0 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-cache was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_xenial-security_multiverse_binary-amd64_Packages was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/usr/lib/apt/methods/cdrom was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/ftp was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-cdrom was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/solvers/apt was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-config was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-get was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/mirror was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/rred was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/copy was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/lib/apt/methods/file was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

/usr/bin/apt-extracttemplates was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Process /usr/lib/apt/methods/store performed bulk changes in {/var/lib/apt} on 33 files

Bulk Files Tampering

Process /usr/bin/dpkg performed bulk changes in {/usr/share/locale} on 86 files

Bulk Files Tampering

Process /usr/bin/dpkg performed bulk changes in {/} on 352 files

Bulk Files Tampering

Associated Files

/usr/lib/apt/methods/file.dpkg-new

SHA256: 1e7d53a5deb4b94d16f1c897b0df40d1f599ea25e43026d0a90342b1101b54f8

18552 bytes

/usr/lib/apt/methods/mirror.dpkg-new

SHA256: 5b56b0a12b8dc670cb35ff924a02d4c794198e856ba1863117bbbe670d289779

104640 bytes

/usr/lib/apt/methods/rsh.dpkg-new

SHA256: 85b275e697f37a8036c66c91a5167f3a04165b699c6e837873ee884ddade3a77

30856 bytes

/usr/lib/apt/methods/cdrom.dpkg-new

SHA256: d44476181fc2887e19a7fcf92547ac40afa94c3f660d21f7660096db8588f3db

26744 bytes

/usr/lib/apt/methods/store.dpkg-new

SHA256: 24b51bfe5362b041075b4d48bf3bdc1e690825c1f26759d5907716a33643a824

18552 bytes

/usr/lib/apt/methods/http.dpkg-new

SHA256: 786c8b6bc495970c73e7d97167635d226ffc98784a9f3efcd2f0dcab4f93561a

80000 bytes

/usr/lib/apt/methods/copy.dpkg-new

SHA256: 06a774cf2092243a8c5ef488acf30ea381b82221f65a4c618d66b6391f25c55b

18552 bytes

/usr/lib/apt/methods/ftp.dpkg-new

SHA256: ea8881bf2c9cf452e707a89af212bf6afe68999bf3cc33869e3ec4ad3f5e4d51

59608 bytes

/usr/lib/apt/methods/gpgv.dpkg-new

SHA256: 9f51c85cade0949cc1451ddfc43c6330e8d9e679ae650d76729d3ff049c6a346

51320 bytes

/usr/lib/apt/methods/rred.dpkg-new

SHA256: bccedfd604ea16901250304ab688fddb09f946be6836d6075706c7ad9296bfec

47224 bytes

/usr/lib/apt/apt-helper.dpkg-new

SHA256: a748bedb6862d28a60ca01f6496d7971ec361a3b67055d9e60a66fd58bd2145b

26752 bytes

/usr/bin/apt-cache.dpkg-new

SHA256: 5579a30d7d2d455165834f114a6125092615fa63c8b0f289129f3436e0f550f3

80000 bytes

/usr/bin/apt.dpkg-new

SHA256: 97dd54f3781c2b3180af95ca1da5d74ea95914f688017c0670c02d04194df260

14376 bytes

/usr/bin/apt-get.dpkg-new

SHA256: 648c2118da9652260a60c5b5bd54f64cc21bcbc6a389e738f7220da7ee68ac52

43128 bytes

/usr/bin/apt-mark.dpkg-new

SHA256: c3df31c45de03455d087b8043d69bf4803a84da59695817da36a3581871903db

43136 bytes

/usr/bin/apt-cdrom.dpkg-new

SHA256: bef727ea7b3f7b5c9873f3ea555c8caa0e55d58e5791b6a71e929f34e8a9293a

22656 bytes

/usr/bin/apt-config.dpkg-new

SHA256: eefa0168d4cac1b4855bb3a50a7e878e001efe084df427e89f7358929c3394f3

22576 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 193.112.103.112​Previously Malicious