IP Address: 222.100.124.62Previously Malicious
IP Address: 222.100.124.62Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login SCP Download File SSH Download and Execute Download and Allow Execution Superuser Operation |
Associated Attack Servers |
1blu.de bt.net chinaunicom.com comunitel.net ertelecom.ru Majordomo.ru netins.net netvisao.pt ng.pl ono.com onvol.net optimus.pt poneytelecom.eu qiniq.com qwest.net reyu.net.pl shatel.ir sparkbb.co.nz tele2.lt telia.com telnor.net uni-erfurt.de 1.119.152.110 1.129.33.83 5.47.165.245 5.161.42.72 6.65.105.82 7.104.203.218 8.156.146.252 9.132.225.105 9.166.39.182 11.139.191.204 13.10.20.37 13.76.222.120 13.94.102.8 15.152.213.8 16.2.191.229 16.16.192.116 16.172.139.142 16.253.234.213 17.54.121.156 18.176.208.194 20.58.184.140 20.64.133.11 21.72.205.221 21.79.159.73 22.19.157.213 22.71.47.192 23.39.28.157 23.94.56.185 24.32.65.138 24.154.232.158 |
IP Address |
222.100.124.62 |
|
Domain |
- |
|
ISP |
Korea Telecom |
|
Country |
Korea, Republic of |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-25 |
Last seen in Akamai Guardicore Segmentation |
2022-08-01 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 188 times |
Download and Execute |
Process /bin/nc.openbsd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /tmp/ifconfig scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 1234 on 24 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 103.152.118.20:1234, 104.21.25.86:443, 114.195.148.22:80, 114.195.148.22:8080, 114.64.100.198:80, 114.64.100.198:8080, 117.16.44.111:1234, 120.31.133.162:1234, 124.214.208.238:80, 124.214.208.238:8080, 129.174.118.126:80, 135.185.84.114:80, 135.185.84.114:8080, 135.52.39.132:80, 135.52.39.132:8080, 142.250.190.4:443, 147.182.233.56:1234, 150.107.95.20:1234, 155.12.37.187:80, 155.12.37.187:8080, 156.6.239.211:80, 156.6.239.211:8080, 159.157.239.219:80, 161.107.113.27:1234, 162.2.49.108:80, 166.187.191.69:80, 173.40.83.109:80, 173.40.83.109:8080, 173.62.178.158:80, 173.62.178.158:8080, 175.237.247.100:80, 190.60.239.44:1234, 190.60.239.44:22, 192.193.220.96:80, 202.61.203.229:1234, 206.189.25.255:1234, 209.216.177.158:1234, 209.216.177.158:2222, 209.216.177.238:1234, 216.130.112.203:80, 216.130.112.203:8080, 220.243.148.80:1234, 222.100.124.62:1234, 222.134.240.91:1234, 222.134.240.92:1234, 222.165.136.99:1234, 223.171.91.149:1234, 223.171.91.160:1234, 240.136.81.181:80, 240.136.81.181:8080, 26.136.211.19:80, 26.136.211.19:8080, 31.19.237.170:1234, 33.103.201.138:80, 34.173.27.238:80, 34.173.27.238:8080, 36.175.224.249:80, 36.175.224.249:8080, 39.175.68.100:1234, 45.134.226.16:80, 45.134.226.16:8080, 46.225.210.95:80, 46.225.210.95:8080, 51.75.146.174:443, 54.188.134.113:80, 54.188.134.113:8080, 58.156.228.35:80, 58.156.228.35:8080, 59.3.186.45:1234, 61.77.105.219:1234, 61.84.162.66:1234, 62.52.125.248:80, 62.52.125.248:8080, 66.180.26.95:80, 66.180.26.95:8080, 66.184.108.219:80, 66.184.108.219:8080, 73.177.180.183:80, 76.219.158.115:80, 76.219.158.115:8080, 77.186.188.227:80, 77.186.188.227:8080, 8.8.8.8:443, 80.147.162.151:1234, 95.248.209.164:80 and 95.248.209.164:8080 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8086 and 8185 |
Listening |
Process /tmp/ifconfig attempted to access suspicious domains: melexa.com |
Access Suspicious Domain Outgoing Connection |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 24 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 24 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|