IP Address: 219.149.105.246Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
219.149.105.246​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

SSH

Tags

Service Creation Download and Execute System File Modification SSH Successful SSH Login Service Deletion Executable File Modification Access Suspicious Domain Outgoing Connection

Associated Attack Servers

haleyorapower.co.id opendns.com parsvds.com vinrec.com amazonaws.com ident.me linode.com whatismyipaddress.com icanhazip.com akamaitechnologies.com ovh.net one.one comcast.net hybs-pro.net

148.70.38.13 111.229.219.168 47.95.196.235 139.155.71.51 103.27.42.43 111.231.84.107 120.220.250.139 120.92.104.149 106.55.154.242 139.155.17.53 49.234.122.134 50.19.206.143 39.108.215.9 49.235.86.47 47.111.5.229 145.14.157.254 192.73.237.8 3.223.51.129 106.52.133.125 111.229.242.150 111.229.41.136 123.207.3.213 193.148.69.96 49.232.66.133 118.25.114.226 52.130.81.35 116.62.206.177 157.245.134.140 49.234.197.216 106.53.52.246

Basic Information

IP Address

219.149.105.246

Domain

-

ISP

China Telecom

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2020-05-10

Last seen in Guardicore Centra

2020-08-03

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / *********** - Authentication policy: Reached Max Attempts

Successful SSH Login

The file /usr/bin/tehzhj was downloaded and executed 422 times

Download and Execute

Process /usr/bin/tehzhj generated outgoing network traffic to: 1.1.1.1:53, 111.229.188.24:39845, 116.202.244.153:80, 116.62.206.177:38726, 176.58.123.25:80, 181.48.129.148:44687, 193.148.69.96:32952, 206.81.5.154:8000, 208.67.222.222:443, 216.239.32.21:80, 216.239.36.21:80, 23.63.79.12:80, 3.223.51.129:80, 47.105.194.197:36352, 58.218.204.13:60396 and 66.171.248.178:80

Outgoing Connection

Process /usr/bin/tehzhj attempted to access suspicious domains: icanhazip.com and one.one

Access Suspicious Domain Outgoing Connection

Executable file /usr/bin/kthreadds was modified 9 times

Executable File Modification

System file /lib/libgc++.so was modified 9 times

System File Modification

System file /lib/libstdc++.so was modified 9 times

System File Modification

System file /lib/systemd/systemd-login was modified 9 times

System File Modification

System file /etc/migrations was modified 9 times

System File Modification

Executable file /usr/bin/bsd-port/.dbus was modified 9 times

Executable File Modification

System file /etc/init.d/selinux was modified 9 times

System File Modification

System file /etc/rc4.d/S97DbSecuritySpt was modified 9 times

System File Modification

System file /etc/rc1.d/S99selinux was modified 9 times

System File Modification

System file /etc/rc4.d/S99selinux was modified 9 times

System File Modification

System file /etc/rc5.d/S99selinux was modified 9 times

System File Modification

System file /etc/init.d/watchdogs was modified 9 times

System File Modification

System file /etc/init.d/netdns was modified 9 times

System File Modification

System file /etc/rc.d/init.d/nfstruncate was modified 9 times

System File Modification

The file /usr/bin/chattr was downloaded and executed

Download and Execute

Service S99selinux was created

Service Creation

Service S97DbSecuritySpt was created

Service Creation

Service pdflushs was created

Service Creation

Service netdns was created

Service Creation

Service DbSecuritySpt was created

Service Creation

Service watchdogs was created

Service Creation

Service selinux was created

Service Creation

Connection was closed due to timeout

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 219.149.105.246​Malicious