IP Address: 218.22.126.147Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
218.22.126.147​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

MYSQL

Tags

80 Sql Commands MYSQL Malicious Mysql Command Malicious File Create Mysql Function HTTP Download File Inbound HTTP Request

Connect Back Servers

40.114.46.214 52.176.48.82 13.82.50.132 13.82.51.31 52.176.49.221 52.176.45.217 52.176.62.145 13.92.238.45 40.80.148.87 52.176.48.108 137.116.197.85 137.135.80.180 137.135.92.186 13.82.52.118

Basic Information

IP Address

218.22.126.147

Domain

-

ISP

China Telecom Anhui

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-01-25

Last seen in Guardicore Centra

2017-02-18

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

An inbound HTTP request was made to http://40.114.46.214/phpmyadmin/index.php

Inbound HTTP Request

/usr/local/mysql/data/\usr\local\mysql\lib\plugin\\te82.dll was downloaded

Download File

An inbound HTTP request was made to http://40.114.46.214/phpmyadmin/import.php

Inbound HTTP Request

/usr/local/mysql/data/..\bin\te82.dll was downloaded

Download File

An inbound HTTP request was made to http://40.114.46.214/phpmyadmin/main.php?reload=1&sql_query=select+%40x86+into+DUMPFILE+%27..%5C%5Cbin%5C%5Cte82.dll%27&token=ce275ea8952bc959ae86a0caf1865897

Inbound HTTP Request

/usr/local/mysql/data/\usr\local\mysql\lib\plugin\\te62.dll was downloaded

Download File

/usr/local/mysql/data/..\bin\te62.dll was downloaded

Download File

An inbound HTTP request was made to http://40.114.46.214/phpmyadmin/main.php?reload=1&sql_query=select+%40x64+into+DUMPFILE+%27..%5C%5Cbin%5C%5Cte62.dll%27&token=ce275ea8952bc959ae86a0caf1865897

Inbound HTTP Request

/usr/local/mysql/data/c:\windows\temp\zzxc.tmp was downloaded

Download File

An inbound HTTP request was made to http://40.114.46.214/phpmyadmin/main.php?reload=1&sql_query=select+%40b+into+DUMPFILE+%27c%3A%5C%5Cwindows%5C%5Ctemp%5C%5Czzxc.tmp%27&token=ce275ea8952bc959ae86a0caf1865897

Inbound HTTP Request

Malicious MySQL commands were executed: DROP FUNCTION

Malicious Mysql Command

An attempt to create MySQL user-defined function (UDF) allcone implemented in /usr/local/mysql/lib/plugin/te82.dll 2 times

Create Mysql Function

An attempt to create MySQL user-defined function (UDF) allcone implemented in /usr/local/mysql/lib/plugin/te62.dll 2 times

Create Mysql Function

/tmp/sess_ac4fcce212286e267c177cab4e50b8f168174552 was identified as malicious by YARA according to rules: Crypto Signatures, Crypto Index and Url

Malicious File

/usr/local/mysql/data/..\bin\te82.dll was identified as malicious by YARA according to rules: Packers Index and Packer Compiler Signatures

Malicious File

/tmp/sess_57ab05cd1275a0c9dfb2cb827836179cb2ee1e83 was identified as malicious by YARA according to rules: Crypto Signatures, Crypto Index and Url

Malicious File

/tmp/sess_a3c1ec94c86a6586249b3fca58712fabe7154ef3 was identified as malicious by YARA according to rules: Crypto Signatures, Crypto Index and Url

Malicious File

/usr/local/mysql/data/\usr\local\mysql\lib\plugin\\te82.dll was identified as malicious by YARA according to rules: Packers Index and Packer Compiler Signatures

Malicious File

/usr/local/mysql/data/..\bin\te62.dll was identified as malicious by YARA according to rules: Packers Index and Packer Compiler Signatures

Malicious File

/usr/local/mysql/data/\usr\local\mysql\lib\plugin\\te62.dll was identified as malicious by YARA according to rules: Packers Index and Packer Compiler Signatures

Malicious File

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 218.22.126.147​Previously Malicious