IP Address: 2.207.74.249Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
2.207.74.249​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

DNS Query 5 Shell Commands Download File Download Operation SSH Bulk Files Tampering SFTP Access Suspicious Domain HTTP Successful SSH Login Outgoing Connection

Associated Attack Servers

ookla.net.unc.edu edinburg.speedtest.shentel.net rockymount.speedtest.centurylink.net themasterr.000webhostap.com themasterr.000webhostapp.com stosat-rstn-01.sys.comcast.net arhivecodex.tk rdu.speedtest.sbcglobal.net duke.edu speed.celito.net sbcglobal.net unc.edu celito.net shentel.net themasterr.000.webhostapp.com s1.speedtest.wdc1.us.leaseweb.net themasterr000.webhostapp.com rdu.ookla.gfsvc.com bigdaddy.wave2net.com www.speedtest.net speedtest.oit.duke.edu centurylink.net themaster000.webhostapp.com cybernetik.000webhostapp.com qwest.net stosat-malt-01.sys.comcast.net comcast.net

99.24.18.89 69.241.0.94 185.199.108.153 145.14.145.91 204.111.5.18 204.111.21.7 151.101.2.219 205.171.135.26 145.14.145.9 136.42.34.75 145.14.144.200 136.42.34.74 145.14.144.75 152.3.103.197 152.19.255.126 145.14.144.2 141.8.224.93 74.113.230.246 207.244.94.68 69.241.87.90

Basic Information

IP Address

2.207.74.249

Domain

-

ISP

Vodafone DSL

Country

Germany

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-05-04

Last seen in Guardicore Centra

2018-06-24

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget attempted to access suspicious domains: themasterr.000webhostap.com

Access Suspicious Domain Outgoing Connection DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 141.8.224.93:80

Outgoing Connection

/var/tmp/haiduc.zip was downloaded

Download File

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: Correct Password

Successful SSH Login

/var/tmp/haiduc/a was downloaded

Download File

/var/tmp/haiduc/all was downloaded

Download File

/var/tmp/haiduc/classes/21vianet was downloaded

Download File

/var/tmp/haiduc/classes/Akamai was downloaded

Download File

/var/tmp/haiduc/classes/Alibaba was downloaded

Download File

/var/tmp/haiduc/classes/Amazon was downloaded

Download File

/var/tmp/haiduc/classes/Apple was downloaded

Download File

/var/tmp/haiduc/classes/Choopa was downloaded

Download File

/var/tmp/haiduc/classes/cloudflare_inc was downloaded

Download File

/var/tmp/haiduc/classes/Cogeco was downloaded

Download File

/var/tmp/haiduc/classes/Digital was downloaded

Download File

/var/tmp/haiduc/classes/facebook was downloaded

Download File

/var/tmp/haiduc/classes/GoDaddy was downloaded

Download File

/var/tmp/haiduc/classes/Google was downloaded

Download File

/var/tmp/haiduc/classes/Hetzner was downloaded

Download File

/var/tmp/haiduc/classes/internap-com was downloaded

Download File

/var/tmp/haiduc/classes/Linode was downloaded

Download File

/var/tmp/haiduc/classes/liquid_web was downloaded

Download File

/var/tmp/haiduc/classes/Microsoft was downloaded

Download File

/var/tmp/haiduc/classes/Online-SAS was downloaded

Download File

/var/tmp/haiduc/classes/OVH was downloaded

Download File

/var/tmp/haiduc/classes/pair_networks was downloaded

Download File

/var/tmp/haiduc/classes/RockSpace was downloaded

Download File

/var/tmp/haiduc/classes/Softlayer was downloaded

Download File

/var/tmp/haiduc/classes/Ubiquity was downloaded

Download File

/var/tmp/haiduc/classes/Verizon was downloaded

Download File

/var/tmp/haiduc/classes/websitewelcome-com was downloaded

Download File

/var/tmp/haiduc/classes/Yahoo_inc was downloaded

Download File

/var/tmp/haiduc/co was downloaded

Download File

/var/tmp/haiduc/hu was downloaded

Download File

/var/tmp/haiduc/pass was downloaded

Download File

/var/tmp/haiduc/range was downloaded

Download File

/var/tmp/haiduc/scan.log was downloaded

Download File

/var/tmp/haiduc/x was downloaded

Download File

Connection was closed due to timeout

Process /usr/lib/openssh/sftp-server performed bulk changes in {/var/tmp} on 38 files

Bulk Files Tampering

Associated Files

/var/tmp/x/co

SHA256: e9b8d8842ee7241dc056f8fedacfd511e5375b829c09cd9ab65345fcb9bd9cd6

749 bytes

/var/tmp/x/haiduc.filepart

SHA256: 6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4

1040592 bytes

/var/tmp/x/x

SHA256: 863fea751e0d533ee1900288b266676e06335995623750ed0e710a8790628420

68 bytes

/var/tmp/. /info

SHA256: dd14cae04ae1515b794dbfce857b1e7173ac8c89e766d02b9abf86dd7fd56f21

5216 bytes

/var/tmp/zone/speedtestvps.py

SHA256: 02cd63a2e9d2cd538ca5230380ad3668b967955f193ec1090b275baa55315680

25312 bytes

/var/tmp/.sal/cyberinfo

SHA256: b600e5f6a9071463e8c698a13860d23c04e8716279dd06fc29ce58459d618709

2117 bytes

/var/tmp/speed.py

SHA256: f98f21bc8d49fe2f9ad56cf0ea038ef47d68b74cf338d45c162caa3c50d497d6

49503 bytes

/var/tmp/haiduc/haiduc/a

SHA256: 7061fcbb8681f85232942a19eb870c29646cd7e14811e31b0f73a328d261d761

699 bytes

/var/tmp/haiduc.zip

SHA256: 76d71b749b8d3a4cf250ceb9b743c147bb7c3f93d7854821787059bb6904de91

1028752 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 2.207.74.249​Previously Malicious