IP Address: 213.32.91.37Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
213.32.91.37​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

SSH

Tags

Port 22 Scan Download File Download and Execute HTTP Log Tampering Download Operation Outgoing Connection Scheduled Task Creation Successful SSH Login Bulk Files Tampering Download and Allow Execution 5 Shell Commands SSH Access Suspicious Domain

Associated Attack Servers

ip-54-37-70.eu ip-213-32-91.eu

141.85.241.113 54.37.70.249 107.191.99.221 37.139.3.113

Basic Information

IP Address

213.32.91.37

Domain

-

ISP

OVH SAS

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-12-02

Last seen in Guardicore Centra

2020-07-03

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected

Download Operation

History File Tampering detected from /bin/bash 2 times

Log Tampering

Process /usr/bin/wget generated outgoing network traffic to: 54.37.70.249:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-54-37-70.eu

Access Suspicious Domain Outgoing Connection

/tmp/.mountfs/dota.tar.gz was downloaded

Download File

The file /tmp/.mountfs/.rsync/init0 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.mountfs/.rsync/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.mountfs/.rsync/c/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.ttp/a/upd was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.ttp/a/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.mountfs/.rsync/c/aptitude was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.mountfs/.rsync/c/n was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.ttp/b/sync was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.ttp/a/crond64 was downloaded and executed 8 times

Download and Execute

Process /root/.ttp/a/crond64 generated outgoing network traffic to: 107.191.99.221:80

Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 141.85.241.113:80

Outgoing Connection

/tmp/.mountfs/.rsync/c/xtr was downloaded

Download File

Process /usr/bin/wget generated outgoing network traffic to: 213.32.91.37:80 2 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-213-32-91.eu 2 times

Access Suspicious Domain Outgoing Connection

/tmp/.mountfs/.rsync/c/ip was downloaded

Download File

/tmp/.mountfs/.rsync/c/p was downloaded

Download File

The file /tmp/.mountfs/.rsync/c/lib/64/tsm was downloaded and executed 126 times

Download and Execute

Process /tmp/.mountfs/.rsync/c/lib/64/tsm generated outgoing network traffic to: 101.251.112.62:22, 103.108.140.192:22, 103.245.167.108:22, 108.179.224.123:22, 108.187.42.36:22, 111.235.138.237:22, 119.133.86.72:22, 123.60.213.6:22, 128.97.31.233:22, 129.49.76.86:22, 13.208.113.231:22, 13.230.185.124:22, 13.57.214.60:22, 130.193.85.74:22, 138.91.121.250:22, 139.162.141.114:22, 140.82.19.78:22, 142.11.229.130:22, 142.252.4.234:22, 142.93.40.42:22, 143.191.128.188:22, 143.191.38.8:22, 148.247.182.96:22, 149.56.175.44:22, 154.214.97.37:22, 157.7.166.191:22, 158.85.185.245:22, 159.65.0.77:22, 162.212.171.88:22, 167.114.133.84:22, 172.93.156.201:22, 173.201.82.40:22, 178.62.238.41:22, 18.191.247.100:22, 18.236.172.192:22, 184.173.18.107:22, 188.125.19.222:22, 188.166.107.203:22, 188.218.14.184:22, 192.207.12.62:22, 192.52.242.52:22, 192.81.218.17:22, 195.68.11.79:22, 198.199.101.24:22, 206.189.214.189:22, 209.59.189.53:22, 209.97.176.169:22, 213.32.27.118:22, 216.129.207.150:22, 23.102.224.63:22, 34.229.76.175:22, 34.76.141.48:22, 35.156.180.69:22, 35.160.189.37:22, 35.190.210.181:22, 35.199.118.90:22, 35.204.114.160:22, 35.222.239.43:22, 35.228.99.26:22, 35.230.182.44:22, 37.187.107.171:22, 45.32.107.153:22, 5.148.171.160:22, 5.63.153.92:22, 50.62.50.211:22, 50.62.71.136:22, 50.87.108.118:22, 51.136.25.157:22, 51.15.245.23:22, 52.166.106.52:22, 52.18.211.220:22, 52.2.176.140:22, 52.221.190.190:22, 52.224.234.75:22, 52.246.182.124:22, 52.41.64.212:22, 52.76.112.9:22, 54.179.165.107:22, 63.209.33.189:22, 64.30.133.1:22, 68.183.213.231:22, 74.208.95.150:22, 74.50.48.131:22, 76.80.103.78:22, 77.222.54.249:22, 80.78.255.42:22, 80.86.30.41:22, 82.118.17.127:22, 82.165.181.79:22, 87.106.238.143:22, 88.212.128.49:22, 88.212.253.51:22, 88.99.173.227:22, 88.99.239.241:22 and 93.170.129.186:22

Process /tmp/.mountfs/.rsync/c/lib/64/tsm scanned port 22 on 95 IP Addresses

Port 22 Scan

Connection was closed due to timeout

Process /bin/tar performed bulk changes in {/} on 55 files

Bulk Files Tampering

Associated Files

/tmp/.mountfs/dota.tar.gz

SHA256: 8f81ce25374a75e3ca8c743229e39608f4a6385401e60b431614c1d669cc9e92

7543447 bytes

/root/.ttp/a/upd

SHA256: 106d07d81e1feb3619cc41a73b51b7dfacae39669bfb1c041de44596ea887168

172 bytes

/tmp/.mountfs/.rsync/c/aptitude

SHA256: 2fd75ca04ac5a3691a79cc505c279bf4fed8cd576f88689565243011dcf87a36

54 bytes

/root/.ttp/a/crond64

SHA256: e8974dfbf0502f0091d9c05b4e0d91b7c769f6a4a1a412edeb2869badb5d79a8

2757656 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 213.32.91.37​Malicious