Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 221.159.28.249Previously Malicious

IP Address: 221.159.28.249Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SCP

Tags

Successful SSH Login Executable File Modification Scheduled Task Creation SCP System File Modification IDS - A Network Trojan was detected Listening 42 Shell Commands Access Suspicious Domain Service Configuration Download File Outgoing Connection Download and Execute SSH

Associated Attack Servers

ip-139-99-62.net ip-139-99-68.net ip-147-135-37.us

37.59.43.131 37.59.44.193 37.59.54.205 51.81.245.40 88.99.193.240 94.130.164.163 94.130.165.85 94.130.165.87 139.99.62.196 139.99.68.128 147.135.37.31 158.69.25.62 158.69.25.71 158.69.25.77

Basic Information

IP Address

221.159.28.249

Domain

-

ISP

Korea Telecom

Country

Korea, Republic of

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2020-11-13

Last seen in Akamai Guardicore Segmentation

2020-12-18

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Executable file /bin/t0swx5wle1060uf5o1402sr55l was modified 16 times

Executable File Modification

/bin/t0swx5wle1060uf5o1402sr55l was downloaded

Download File

Executable file /bin/dhpcd was modified 49 times

Executable File Modification

IDS detected A Network Trojan was detected : DNS request for Monero mining pool

IDS - A Network Trojan was detected

Process /bin/dhpcd generated outgoing network traffic to: 139.99.68.128:4444, 158.69.25.62:4444, 37.59.44.193:4444, 37.59.54.205:4444, 51.81.245.40:4444, 88.99.193.240:4444, 94.130.164.163:4444 and 94.130.165.87:4444

Outgoing Connection

Process /bin/dhpcd attempted to access suspicious domains: ip-139-99-68.net, ip-158-69-25.net, ip-37-59-44.eu, ip-37-59-54.eu and ip-51-81-245.us

Access Suspicious Domain Outgoing Connection

The file /bin/dhpcd was downloaded and executed 8 times

Download and Execute

System file /etc/nshadow was modified 9 times

System File Modification

/dev/shm/t0swx5wle1060uf5o1402sr55l was downloaded

Download File

/dev/shm/knrm was downloaded

Download File

/dev/shm/r was downloaded

Download File

System file /etc/sed0pFg0J was modified 9 times

System File Modification

/bin/dhpcd was downloaded

Download File

Process /bin/dhpcd generated outgoing network traffic to: 158.69.25.77:4444

Outgoing Connection

Process /bin/dhpcd attempted to access suspicious domains: ip-158-69-25.net

Access Suspicious Domain Outgoing Connection

/etc/rc.d/rc.local was downloaded

Download File

/etc/rc.local was downloaded 2 times

Download File

/etc/rc.local was downloaded 2 times

Download File

System file /etc/rc.local was modified 4 times

System File Modification

Process /usr/sbin/sshd started listening on ports: 22

Listening

Connection was closed due to timeout