IP Address: 220.172.224.174Previously Malicious
IP Address: 220.172.224.174Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Outgoing Connection Successful SSH Login SSH Access Suspicious Domain New SSH Key Download and Execute |
Associated Attack Servers |
23.63.78.35 34.198.132.204 36.224.81.148 39.108.215.9 46.101.101.24 47.101.38.123 47.115.124.68 49.232.17.202 49.233.64.4 49.235.4.213 49.235.212.184 58.209.253.169 58.218.199.11 61.147.109.203 62.216.245.85 66.171.248.178 103.26.79.72 103.230.240.110 106.12.21.231 106.13.65.237 106.52.188.94 111.229.53.39 111.229.138.163 111.229.219.250 116.202.244.153 117.73.2.100 117.73.13.208 121.40.174.89 121.43.40.121 123.206.201.67 |
IP Address |
220.172.224.174 |
|
Domain |
- |
|
ISP |
China Telecom |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-04-20 |
Last seen in Akamai Guardicore Segmentation |
2020-05-04 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / **************** - Authentication policy: Reached Max Attempts |
Successful SSH Login |
The file /usr/bin/ephzbx was downloaded and executed 44 times |
Download and Execute |
Process /usr/bin/ephzbx generated outgoing network traffic to: 1.1.1.1:53, 103.230.240.110:45547, 103.26.79.72:39673, 106.12.21.231:34059, 106.13.65.237:42996, 106.52.188.94:46849, 111.229.138.163:33607, 111.229.219.250:23903, 111.229.53.39:41106, 116.202.244.153:80, 117.73.13.208:37983, 117.73.2.100:35488, 121.40.174.89:35691, 121.43.40.121:40368, 123.206.201.67:37098, 123.207.3.213:35391, 123.207.35.108:36395, 129.211.11.196:41366, 134.209.249.49:39557, 134.209.96.222:43083, 139.162.127.223:33189, 176.58.123.25:80, 178.128.39.120:45491, 180.76.189.148:34683, 181.48.129.148:44687, 183.245.147.240:60654, 185.193.38.221:34983, 206.81.5.154:8000, 208.67.222.222:443, 216.239.32.21:80, 216.239.34.21:80, 23.63.78.35:80, 34.198.132.204:80, 36.224.81.148:36429, 39.108.215.9:41620, 46.101.101.24:37951, 47.101.38.123:35803, 47.115.124.68:45176, 49.232.17.202:36827, 49.233.64.4:46615, 49.235.212.184:36808, 49.235.4.213:45891, 58.209.253.169:39283, 58.209.253.169:44728, 58.218.199.11:36215, 61.147.109.203:60229, 62.216.245.85:26664 and 66.171.248.178:80 |
Outgoing Connection |
Process /usr/bin/ephzbx attempted to access suspicious domains: icanhazip.com, one.one and z1-shopx1.store |
Access Suspicious Domain Outgoing Connection |
The file /usr/bin/chattr was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made 25 times |
New SSH Key |