Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 206.189.51.152Previously Malicious

IP Address: 206.189.51.152Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

Download and Allow Execution Successful SSH Login 1 Shell Commands Download Operation Kill Process DNS Query Access Suspicious Domain Download File Outgoing Connection Log Tampering HTTP SSH

Associated Attack Servers

104.140.201.42 104.140.244.186

Basic Information

IP Address

206.189.51.152

Domain

-

ISP

DigitalOcean, LLC

Country

Germany

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2020-11-05

Last seen in Akamai Guardicore Segmentation

2020-11-05

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: White List

Successful SSH Login

A possibly malicious Kill Process was detected

Download Operation Kill Process

A possibly malicious Download Operation was detected

Download Operation Kill Process

A possibly malicious Kill Process was detected

Download Operation Kill Process

A possibly malicious Download Operation was detected

Download Operation Kill Process

History File Tampering detected from /usr/sbin/sshd

Log Tampering

Process /usr/bin/wget generated outgoing network traffic to: 165.22.191.183:80

Outgoing Connection

/var/tmp/.lizsard was downloaded

Download File

The file /var/tmp/.lizsard was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 165.22.191.183:80

Outgoing Connection

/var/tmp/.ICMP-unix/xmrig was downloaded

Download File

The file /var/tmp/.ICMP-unix/n3wy0rk was downloaded and granted execution privileges

The file /var/tmp/.ICMP-unix/.alive was downloaded and granted execution privileges

Download and Allow Execution

History File Tampering detected from /bin/rm on the following logs: /root/.bash_history

Log Tampering

Process /var/tmp/.ICMP-unix/n3wy0rk attempted to access domains: pool.supportxmr.com

DNS Query

Process /var/tmp/.ICMP-unix/n3wy0rk generated outgoing network traffic to: 104.140.201.42:443

Outgoing Connection

Process /var/tmp/.ICMP-unix/n3wy0rk attempted to access suspicious domains: choppedgreen.com

DNS Query Access Suspicious Domain Outgoing Connection

Connection was closed due to user inactivity