IP Address: 221.142.135.128Previously Malicious
IP Address: 221.142.135.128Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Outgoing Connection Successful SSH Login SSH Access Suspicious Domain Port 22 Scan Download and Execute 17 Shell Commands Port 2222 Scan Listening Download and Allow Execution |
Associated Attack Servers |
cable.net.co intelekt.cv.ua internet.co.za orange-business.com 47.91.87.67 49.235.203.242 50.206.25.111 50.239.104.242 50.239.104.243 100.0.197.18 100.2.131.143 106.75.7.111 112.35.67.136 124.124.44.156 156.155.179.14 162.252.57.102 181.57.193.189 188.191.235.237 190.145.102.57 |
IP Address |
221.142.135.128 |
|
Domain |
- |
|
ISP |
SK Broadband |
|
Country |
Korea, Republic of |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2019-06-09 |
Last seen in Akamai Guardicore Segmentation |
2020-05-07 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password 3 times |
Successful SSH Login |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/nginx was downloaded and executed 123 times |
Download and Execute |
Process /root/ifconfig scanned port 22 on 44 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 22 on 36 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /root/ifconfig scanned port 2222 on 44 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /root/ifconfig started listening on ports: 1234 |
Listening |
Process /root/ifconfig generated outgoing network traffic to: 101.136.122.190:22, 104.173.144.78:22, 104.173.144.78:2222, 12.83.237.160:22, 12.83.237.160:2222, 120.237.228.226:22, 120.24.243.109:22, 124.131.249.52:22, 131.104.82.233:22, 131.104.82.233:2222, 138.194.39.200:22, 138.194.39.200:2222, 14.221.237.55:22, 149.30.69.118:22, 149.30.69.118:2222, 159.151.110.34:2222, 165.133.164.173:22, 165.133.164.173:2222, 165.57.78.228:22, 175.141.71.119:22, 175.141.71.119:2222, 179.51.60.107:22, 18.190.199.207:22, 182.61.25.128:22, 182.61.25.128:2222, 186.172.18.118:22, 186.172.18.118:2222, 188.191.235.237:1234, 189.70.146.252:22, 19.195.197.231:22, 19.195.197.231:2222, 191.92.166.116:2222, 198.58.182.184:22, 198.58.182.184:2222, 201.34.142.99:2222, 202.96.31.62:22, 204.129.249.164:2222, 208.164.85.106:22, 208.164.85.106:2222, 211.66.207.241:2222, 218.93.239.44:1234, 221.142.135.128:1234, 24.24.127.150:22, 240.50.236.11:22, 240.50.236.11:2222, 244.132.65.194:22, 244.132.65.194:2222, 248.16.169.70:22, 249.125.64.48:22, 249.125.64.48:2222, 25.14.64.128:22, 25.14.64.128:2222, 25.71.246.135:22, 25.71.246.135:2222, 250.150.53.137:22, 250.150.53.137:2222, 251.99.96.100:2222, 3.154.99.239:22, 3.97.85.5:22, 3.97.85.5:2222, 40.225.116.101:22, 43.183.81.231:22, 45.108.171.8:2222, 46.164.84.125:22, 47.100.108.185:1234, 47.55.147.76:2222, 47.91.87.67:1234, 50.157.50.32:22, 50.157.50.32:2222, 50.206.25.111:1234, 50.239.104.243:1234, 51.79.17.197:22, 51.84.108.184:22, 51.84.108.184:2222, 53.124.21.56:2222, 54.249.52.16:22, 54.249.52.16:2222, 59.131.160.89:2222, 64.81.251.94:2222, 78.95.244.158:22, 78.95.244.158:2222, 79.87.226.102:22, 81.40.80.227:22, 87.207.143.229:2222, 89.89.203.1:22 and 89.89.203.1:2222 |
Outgoing Connection |
Process /root/ifconfig attempted to access suspicious domains: comcastbusiness.net and intelekt.cv.ua |
Access Suspicious Domain Outgoing Connection |
Process /root/ifconfig scanned port 2222 on 36 IP Addresses |
Port 22 Scan Port 2222 Scan |
The file /root/php-fpm was downloaded and granted execution privileges |
|
The file /root/php-fpm was downloaded and executed 48 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 44 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 15 times |
Download and Execute |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|