IP Address: 206.189.124.255Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
206.189.124.255​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HadoopYARN

Tags

HTTP Download and Allow Execution IDS - Web Application Attack Inbound HTTP Request Outgoing Connection Download and Execute Download File HadoopYARN Malicious File

Associated Attack Servers

52.232.27.116 52.233.179.93 167.99.95.137 13.68.208.174 52.174.33.6 13.92.179.136

Basic Information

IP Address

206.189.124.255

Domain

-

ISP

DigitalOcean, LLC

Country

United Kingdom

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-12-16

Last seen in Guardicore Centra

2018-12-21

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 167.99.95.137:80 14 times

Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/ntpd was downloaded and granted execution privileges

Download and Allow Execution

/tmp/ntpd was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/sshd was downloaded and granted execution privileges

Download and Allow Execution

/tmp/sshd was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/openssh was downloaded and granted execution privileges

Download and Allow Execution

/tmp/openssh was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Process /tmp/bash generated outgoing network traffic to: 167.99.95.137:23

Outgoing Connection

The file /tmp/bash was downloaded and executed 3 times

Download and Execute

The file /tmp/tftp was downloaded and granted execution privileges

Download and Allow Execution

/tmp/tftp was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/wget was downloaded and executed 2 times

Download and Execute

The file /tmp/cron was downloaded and granted execution privileges

Download and Allow Execution

/tmp/cron was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/ftp was downloaded and executed 3 times

Download and Execute

Process /tmp/ftp generated outgoing network traffic to: 167.99.95.137:23

Outgoing Connection

The file /tmp/pftp was downloaded and granted execution privileges

Download and Allow Execution

/tmp/pftp was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/sh was downloaded and granted execution privileges

Download and Allow Execution

/tmp/sh was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/[cpu] was downloaded and granted execution privileges

Download and Allow Execution

/tmp/[cpu] was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

The file /tmp/apache2 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/apache2 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Connection was closed due to user inactivity

/tmp/ftp was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

/tmp/wget was identified as malicious by YARA according to rules: Maldoc Somerules and 000 Common Rules

Malicious File

/tmp/bash was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Associated Files

/tmp/bins.sh

SHA256: 62a5d73dc3492ad4327a2f12387335e33c16784869e20c3b99d10010d0472332

1626 bytes

/tmp/ntpd

SHA256: 3600e5675bf58613ff426b744011573bf277ce99a772179eceb7ad3b91d31528

26287 bytes

/tmp/ntpd

SHA256: 45a5c9a902851c7087bad1b560c6156be3e094d88695a1e2c0d4b2a379cc5df0

108770 bytes

/tmp/sshd

SHA256: 5eebb325e59fb2440329b92a24a9c6562e4ec566eb4934b2827aa086fddd3597

108770 bytes

/tmp/openssh

SHA256: 5b27d6f34250b6bdff4d5fe38f931a4228124dcb7b475a1ba5e3d0e8c2e0df48

76131 bytes

/tmp/bash

SHA256: 48926ba78ad327cf89fad94cd2b1685183f469f49cd4e12fc194791c73c3a0b4

82753 bytes

/tmp/tftp

SHA256: eaab4182dcc7277280728906f89f9860552d9a0f5d5aec06b60577eb9832e80e

107995 bytes

/tmp/wget

SHA256: efac670fecbb3a27291366d92c04ec425b49f2df545853a0afd4cc2a1708d26d

72366 bytes

/tmp/cron

SHA256: fd25686c30e30fda81e593726c0daa392b99a538e7df6e4d31631a5cb5d556fb

81463 bytes

/tmp/ftp

SHA256: 20eca33b0a3a7ab823e58868cc52f10cceb741244c4a99eaf738236b9d75f7c6

72366 bytes

/tmp/pftp

SHA256: d5d98e796bce9a38058a93d05f91607583b40ca141e069fe36289cb4de77d9b6

88465 bytes

/tmp/sh

SHA256: 0a7f9eb24858cfe2a1c33b35d596f00c6fc2bd55df6b74f83e0875872844448f

92253 bytes

/tmp/[cpu]

SHA256: 4bbfaa423b7479d06ec03aafeb28e520548dbe43d3cb35c1ac68ecb389a2a2b3

95549 bytes

/tmp/apache2

SHA256: 943399c627b6fc7becb7ab9b814bf268cdbf67fab1ab1299ba7b88dc0ccd7e51

88003 bytes

/tmp/ntpd

SHA256: f6e4eabdb74118f7bba95025c3277df2b5e6454c86e828d132e44ef51ccf9482

11679 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 206.189.124.255​Previously Malicious