IP Address: 209.216.177.158Previously Malicious
IP Address: 209.216.177.158Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH SCP |
Tags |
SSH Superuser Operation SCP Download File Successful SSH Login Download and Execute |
Associated Attack Servers |
146.in-addr.arpa 194.in-addr.arpa 1blu.de advance.com.ar ae2am1.shop airtel.cd alter.net aniar.ie attdns.com btcentralplus.com canl.nc disa.mil ecua.net.ec fju.edu.tw hiltonwaikoloavillage.net iforte.net.id in2net.com knet-kl.de kokikai.jp Majordomo.ru mycingular.net ovo.sc prima.net.ar prserv.net qwest.net shatel.ir sileman.net.pl tele2.lt telenet.be telia.com 211.46.185.42 197.147.113.2 123.187.31.65 27.74.198.230 6.104.52.121 74.150.183.135 193.123.106.215 223.171.91.136 161.70.98.32 166.176.73.32 52.131.32.110 42.193.137.44 183.213.26.13 124.222.13.124 31.201.95.9 116.127.163.27 210.99.20.194 201.44.192.97 222.143.119.73 36.42.243.126 180.133.174.238 220.243.148.80 209.14.69.77 124.222.163.73 177.15.201.29 134.119.192.60 128.142.198.177 120.236.68.238 113.156.137.210 197.203.188.46 |
IP Address |
209.216.177.158 |
|
Domain |
- |
|
ISP |
Gorge Networks |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-19 |
Last seen in Akamai Guardicore Segmentation |
2022-10-31 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 4 times |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 12 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 44 times |
Superuser Operation |
System file /etc/ifconfig was modified 49 times |
System File Modification |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 132 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 103.105.12.48:1234, 142.250.191.164:443, 172.64.201.11:443, 190.60.239.44:1234, 190.60.239.44:22, 51.159.19.47:1234, 51.75.146.174:443 and 8.8.8.8:443 |
Outgoing Connection |
Process /root/ifconfig scanned port 1234 on 34 IP Addresses |
Port 1234 Scan |
Process /dev/shm/apache2 scanned port 1234 on 34 IP Addresses |
Port 1234 Scan |
Process /etc/apache2 scanned port 1234 on 34 IP Addresses |
Port 1234 Scan |
Process /tmp/ifconfig scanned port 1234 on 34 IP Addresses |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 34 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig scanned port 1234 on 34 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig started listening on ports: 1234, 8080 and 8186 |
Listening |
/dev/shm/ifconfig was downloaded |
Download File |
Process /root/ifconfig attempted to access suspicious domains: melexa.com |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.1.1.1:443, 1.220.98.197:1234, 103.90.177.102:1234, 117.54.14.169:1234, 117.80.212.33:1234, 120.31.133.162:1234, 142.250.191.164:443, 172.64.200.11:443, 185.210.144.122:1234, 191.242.188.103:1234, 210.99.20.194:1234, 222.165.136.99:1234, 51.75.146.174:443, 61.77.105.219:1234, 62.12.106.5:1234, 8.8.8.8:443, 82.149.112.170:1234, 82.66.5.84:1234 and 85.105.82.39:1234 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8081 and 8181 |
Listening |
System file /etc/apache2 was modified 4 times |
System File Modification |
The file /etc/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 118 times |
Download and Execute |
Process /etc/apache2 generated outgoing network traffic to: 1.1.1.1:443, 142.250.191.164:443, 172.64.200.11:443, 51.75.146.174:443 and 8.8.8.8:443 |
Outgoing Connection |
Process /etc/apache2 started listening on ports: 1234, 8085, 8181 and 8185 |
Listening |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 114 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 142.250.191.164:443, 172.64.200.11:443, 51.75.146.174:443, 8.8.4.4:443 and 8.8.8.8:443 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8087 and 8188 |
Listening |
./ifconfig was downloaded 3 times |
Download File |
The file /root/ifconfig was downloaded and executed 4 times |
Download and Execute |
The file /root/ifconfig was downloaded and executed 7 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 143 times |
Download and Execute |
Process /root/apache2 started listening on ports: 1234, 8081 and 8185 |
Listening |
Process /root/apache2 generated outgoing network traffic to: 1.1.1.1:443, 117.54.14.169:1234, 142.250.191.164:443, 172.64.201.11:443, 206.189.25.255:1234, 222.103.98.58:1234, 51.75.146.174:443, 61.77.105.219:1234, 8.8.4.4:443 and 8.8.8.8:443 |
Outgoing Connection |
The file /root/apache2 was downloaded and executed 243 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 101.42.90.177:1234, 117.16.44.111:1234, 120.236.78.194:1234, 123.132.238.210:1234, 142.250.191.164:443, 147.182.233.56:1234, 172.64.200.11:443, 212.57.36.20:1234, 218.146.15.97:1234, 222.121.63.87:1234, 223.171.91.160:1234, 223.171.91.191:1234, 45.120.216.114:1234, 51.75.146.174:443, 61.77.105.219:1234, 61.84.162.66:1234, 8.8.4.4:443, 8.8.8.8:443, 84.204.148.99:1234 and 95.154.21.210:1234 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8083 and 8187 |
Listening |
/var/tmp/ifconfig was downloaded 3 times |
Download File |
/root/ifconfig was downloaded |
Download File |
Connection was closed due to user inactivity |
|
/tmp/ifconfig |
SHA256: bf9553be0290bc2603b057d3daa41cbcc7f761941ff5519b7d441abe836ec046 |
2457600 bytes |
/etc/ifconfig |
SHA256: 2fd96aa6470f930f543ef665fcc62ffa4dfe6646b8f506c11b452a191800285b |
2392064 bytes |
/tmp/ifconfig |
SHA256: 1118f58badaea9c524290c7ac9bee6703ff6656960121dc52bdb9c378775276a |
3109968 bytes |
/etc/ifconfig |
SHA256: af5a3b16f20172c433cf59e47ab12d7659877616d5442fc440c2411c513c40a9 |
3090288 bytes |
/root/ifconfig |
SHA256: 8e7cf70465391f66bc440eba9c30c73995725eaa95fe9f8ba9da6ecbe060c085 |
2424832 bytes |
/etc/ifconfig |
SHA256: 331f1ead3df8fed58ccf68da781f34b2f228a5c37f3bb245b836a4b49b1cf269 |
557056 bytes |
/root/ifconfig |
SHA256: 2aacc3f6c14a2bd120ce9f7cab7af1f4d3e207bea33d56f02a14f75613a7930c |
786432 bytes |
/root/ifconfig |
SHA256: 6ee5b0eadb32669e495a5d4157119d3a8248235f0b3e21084070fb6bb45ca89e |
950272 bytes |
/tmp/apache2 |
SHA256: 366408b99e3165dd170cf29c44e8ae63ec7d8e45052c0ca2f894c20e7243fcf0 |
3090368 bytes |
/var/tmp/php-fpm |
SHA256: d9ee6cbbc40b3b337e3af157b14a1e7ac276c9f27c2efcd8daa21ded4bd810b6 |
2875940 bytes |
/tmp/ifconfig |
SHA256: 63ce5e408bc30df5efb4e48cb2e893e84b58da0ea31d834ce11db915f0dfaba2 |
32768 bytes |
/root/ifconfig |
SHA256: f28c1becc58c6ae5d449da0b0f68f4def9db80ba792ab4486a7177e0ecd62b74 |
851968 bytes |
/etc/ifconfig |
SHA256: fd3e94ee9b2ea054ed39b97f94f6542e9ce2c2bfbaf1be0c7a8412303ed15e39 |
2293760 bytes |
/root/ifconfig |
SHA256: 861921d16b4f8870dda3d79aecaa828b713b8e41b29ec977aca10c236356144e |
1507328 bytes |
/var/tmp/ifconfig |
SHA256: d631c9ebe71bca046338a9f986aa6e9ca1bbac1610bd8bb781996cc103537ceb |
1769472 bytes |
/var/tmp/ifconfig |
SHA256: fc67a5ff1acc35f9c4ef21c8429bb047e956486f2c12d401950cc7551f601195 |
2326528 bytes |