IP Address: 202.72.202.104Previously Malicious
IP Address: 202.72.202.104Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Service Creation Download and Execute System File Modification SSH Successful SSH Login Service Deletion Executable File Modification Access Suspicious Domain Outgoing Connection |
Associated Attack Servers |
btcentralplus.com hybs-pro.net wiramaster.org z1-shopx1.store 3.209.205.43 23.43.56.59 23.43.56.179 23.223.159.179 23.223.159.192 34.192.250.175 36.224.81.148 37.44.244.229 39.105.175.226 39.106.143.119 39.107.123.38 39.108.72.183 39.108.215.9 39.178.129.154 45.9.188.72 46.101.101.24 47.96.234.84 47.100.35.108 47.100.45.55 47.101.38.123 47.101.192.165 47.102.103.5 47.103.89.185 47.103.214.241 47.104.78.24 47.105.194.197 47.107.73.38 47.115.124.68 47.240.40.98 47.244.207.70 |
IP Address |
202.72.202.104 |
|
Domain |
- |
|
ISP |
PT Multidata Rancana Prima |
|
Country |
Indonesia |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-05-04 |
Last seen in Akamai Guardicore Segmentation |
2020-05-11 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ********** - Authentication policy: Reached Max Attempts |
Successful SSH Login |
The file /usr/bin/uuhrkn was downloaded and executed 481 times |
Download and Execute |
Process /usr/bin/uuhrkn generated outgoing network traffic to: 1.1.1.1:53, 103.26.79.72:39673, 106.12.81.215:44065, 107.23.193.11:80, 116.202.55.106:80, 123.194.80.147:43020, 176.58.123.25:80, 206.81.5.154:8000, 208.67.222.222:443, 216.239.32.21:80, 216.239.34.21:80, 23.43.56.179:80, 47.104.78.24:36051, 49.235.4.213:36397, 58.218.204.13:60396 and 66.171.248.178:80 |
Outgoing Connection |
Process /usr/bin/uuhrkn attempted to access suspicious domains: icanhazip.com, kbronet.com.tw and one.one |
Access Suspicious Domain Outgoing Connection |
Executable file /usr/bin/.rvlss was modified 16 times |
Executable File Modification |
System file /lib/busybox was modified 25 times |
System File Modification |
System file /etc/cfly was modified 25 times |
System File Modification |
System file /etc/migrations was modified 25 times |
System File Modification |
Executable file /usr/bin/.sshd was modified 25 times |
Executable File Modification |
System file /etc/rc1.d/S99selinux was modified 9 times |
System File Modification |
System file /etc/rc3.d/S99selinux was modified 9 times |
System File Modification |
System file /etc/rc5.d/S99selinux was modified 9 times |
System File Modification |
System file /etc/cron.d/tomcat was modified 49 times |
System File Modification |
System file /etc/init.d/netdns was modified 9 times |
System File Modification |
Service S97DbSecuritySpt was created |
Service Creation |
Service S99selinux was created |
Service Creation |
Service watchdogs was created |
Service Creation |
Service pdflushs was created |
Service Creation |
Service netdns was created |
Service Creation |
Service DbSecuritySpt was created |
Service Creation |
Service selinux was created |
Service Creation |
The file /usr/bin/chattr was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|