IP Address: 20.205.117.130Previously Malicious
IP Address: 20.205.117.130Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login Port 8080 Scan 5 Shell Commands Listening SSH SCP Access Suspicious Domain Outgoing Connection Superuser Operation Port 80 Scan Download File Port 1234 Scan |
Associated Attack Servers |
IP Address |
20.205.117.130 |
|
Domain |
- |
|
ISP |
- |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-07-14 |
Last seen in Akamai Guardicore Segmentation |
2022-07-18 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/nc.openbsd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 21 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /bin/bash scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /bin/nc.openbsd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 104.21.25.86:443, 104.52.231.84:80, 118.218.209.149:1234, 120.236.79.182:1234, 123.132.238.210:1234, 124.115.231.214:1234, 124.223.14.100:1234, 129.158.152.75:80, 129.158.152.75:8080, 129.65.130.143:80, 129.65.130.143:8080, 134.29.87.5:80, 134.29.87.5:8080, 142.250.190.4:443, 147.182.233.56:1234, 147.182.233.56:2222, 149.233.214.31:80, 149.233.214.31:8080, 159.112.70.178:80, 159.112.70.178:8080, 16.48.100.2:80, 16.48.100.2:8080, 16.73.38.77:80, 161.107.113.34:1234, 161.13.161.238:80, 161.13.161.238:8080, 161.35.79.199:1234, 168.34.56.131:80, 176.22.247.27:80, 176.22.247.27:8080, 183.218.58.128:80, 190.138.240.233:1234, 191.242.182.210:1234, 192.204.85.237:80, 192.204.85.237:8080, 2.232.228.135:80, 2.232.228.135:8080, 210.99.20.194:1234, 212.57.36.20:1234, 213.5.251.52:80, 213.5.251.52:8080, 216.20.4.135:80, 216.20.4.135:8080, 218.146.15.97:1234, 220.115.94.149:80, 220.115.94.149:8080, 222.100.124.62:1234, 222.121.63.87:1234, 222.165.136.99:1234, 241.11.7.124:80, 28.170.168.221:80, 28.170.168.221:8080, 31.19.237.170:1234, 36.123.188.176:80, 36.123.188.176:8080, 37.178.152.250:80, 37.178.152.250:8080, 39.175.68.100:1234, 41.175.251.217:80, 47.240.246.25:80, 47.240.246.25:8080, 49.233.159.222:1234, 51.48.94.158:80, 51.75.146.174:443, 52.57.47.71:80, 57.110.245.2:80, 61.77.105.219:1234, 61.84.162.66:1234, 69.183.180.180:80, 69.183.180.180:8080, 8.195.113.68:80, 8.195.113.68:8080, 8.8.4.4:443, 8.8.8.8:443, 81.2.111.104:80, 81.2.111.104:8080, 82.149.112.170:1234, 82.149.112.170:22, 85.105.82.39:1234, 87.18.181.177:80, 89.212.123.191:1234, 92.60.116.9:80, 92.60.116.9:8080 and 95.211.32.139:80 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8083 and 8186 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 21 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 21 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: wellcom.at |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|