IP Address: 222.187.227.55Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
222.187.227.55​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

SSH

Tags

Log Tampering HTTP Service Stop DNS Query Download and Allow Execution Download File Download Operation Access Suspicious Domain 39 Shell Commands Listening Malicious File SSH Successful SSH Login Outgoing Connection

Associated Attack Servers

mdb7.cn

58.218.56.82 39.108.158.10 118.193.233.8

Basic Information

IP Address

222.187.227.55

Domain

-

ISP

China Telecom jiangsu

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-06-10

Last seen in Guardicore Centra

2018-07-10

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Process /usr/sbin/sshd started listening on ports: 1987 and 22

Listening

Service iptables was stopped

Service Stop

Process /usr/bin/wget attempted to access suspicious domains: mdb7.cn

DNS Query Access Suspicious Domain

Log File Tampering detected from /bin/rm on the following logs: /var/log/wtmp

Log Tampering

Process /usr/bin/wget generated outgoing network traffic to: 118.193.233.8:4780 5 times

Outgoing Connection

The file /root/Linux2.6lei was downloaded and granted execution privileges

Download and Allow Execution

The file /root/linux-mipslei was downloaded and granted execution privileges

Download and Allow Execution

/root/Linux2.4lei was downloaded

Download File

/tmp/linux-armlei was downloaded

Download File

/root/dd-wrtlei was downloaded

Download File

Process /usr/bin/wget generated outgoing network traffic to: 39.108.158.10:80 3 times

Outgoing Connection

The file /root/dexgp4 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/dexgp6 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/larm was downloaded and granted execution privileges

Download and Allow Execution

Connection was closed due to user inactivity

/root/dexgp6 was identified as malicious by YARA according to rules: Maldoc Somerules

Malicious File

/root/Linux2.6lei was identified as malicious by YARA according to rules: Maldoc Somerules

Malicious File

/root/Linux2.4lei was identified as malicious by YARA according to rules: Maldoc Somerules

Malicious File

/root/dexgp4 was identified as malicious by YARA according to rules: Maldoc Somerules

Malicious File

Associated Files

/root/Linux2.6lei

SHA256: 408e449de6452999c8692d059805911a3b4927056eb0a191f823074e5059f48f

651921 bytes

/root/linux-mipslei

SHA256: 16de66119162a19df346025f597a861e823ef5305822daa53e5a5989f83ac3e0

175392 bytes

/root/Linux2.4lei

SHA256: a867b5fddc24d8a489b06e140babcc8f331d42436dda74027c2f22be7b994df5

1460 bytes

/tmp/linux-armlei

SHA256: d96297f91461c7c725b5a5374fe69debf23e49caa18051c5fa3b8ec341c2a38b

7231 bytes

/root/dd-wrtlei

SHA256: ffa944905049ec64cae8a7c8c3af63f9204973078a4c04cd0d22bd5e9bc1e538

5900 bytes

/root/dexgp4

SHA256: 0e60800dcda20ee942d9a04d00edf73574e74e530849a09b8d409ac9bde3be28

291868 bytes

/root/dexgp6

SHA256: 87e14a519bf68f907bd77ea9664e84b27888ce48ead34d6bba90bd08ca6363ab

131180 bytes

/root/larm

SHA256: b6aee344af51f6cd750684a9a297c9c9dc55019480aa2cf14b210d787cd3d080

46189 bytes

/root/Linux2.4lei

SHA256: 574b29a413c63e443dc94907a5fd01e414869d36ee213abe53b104159def2f0a

15198 bytes

/tmp/linux-armlei

SHA256: 858ecdd6a8bf4886c22c5a219043e47cab54bd95e818837f4ba2b3a82f6c558c

13871 bytes

/root/dd-wrtlei

SHA256: 9cd313a42290c69467c1dff8613d1c4bdbe27b91d355db1ada55cdbb87309dce

166343 bytes

/root/dexgp4

SHA256: 7308f57124b952a90c7697740bd7e13b749767ccf05d59ee26da4e1497ea9ddc

169692 bytes

/root/dexgp6

SHA256: 433aa38b09ea19429e3f22c3b9c46d90458c6da238c68fbffa08c0731fb3dd70

128524 bytes

/root/larm

SHA256: fc6b3eb399b23dfa8bf09a511bdceeef00b727fd390ce26b1c4d8fe1ab54b843

2365 bytes

/root/linux-mipslei

SHA256: c6d58f931ecc0f9150a6e0c7cc80841d584e414934ce8c9d1c2e2324fc1cb0a4

123742 bytes

/root/dexgp4

SHA256: b4c4ae24276351c7e19b204b7d768fc2e1de7ba88146354dfca70b08230c4187

258320 bytes

/root/dexgp6

SHA256: 4f893eee9a28a71b3feb1dfc52c5e119f8c6e437305ef76c8f434fa64cccbf93

256012 bytes

/root/larm

SHA256: 1d9564b21f8895925ceb5e8b7d2f00c12bbd680ad27579f3b39b5c53a004bee3

103517 bytes

/root/Linux2.6lei

SHA256: 5f7394797c95218ff5c3a5f1974992aa06bfb1eb5d129c3613ce61112f71bc3d

1043900 bytes

/root/Linux2.4lei

SHA256: 3f6306a045538a3c124711be93f2d3a0f1f65d46eb9e1adf341068ec454ff88e

5100983 bytes

/tmp/linux-armlei

SHA256: 8925bd8ee56a21de05fa1b85a3d9103bb5be1243ec91743d8ec99cb939f4eae7

417560 bytes

/root/dd-wrtlei

SHA256: d23ce924052fb0b560f6af31356cb3ce9da4a8f9a5553ad4548dec07636dc8ab

14780 bytes

/root/dexgp4

SHA256: e34ecea692edc186efeb8a3e377560824a088457b0f75c7a23429260a1fcd4c6

132508 bytes

/root/dexgp6

SHA256: 620dca4562a69b80676afda68310867ba7fbfbe56d7704058c5d179f22fc0be1

12988 bytes

/root/larm

SHA256: d0b1a71994d3fe101790248e141e6968c9ecadc97efee853333fc18b767f4d5f

107501 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 222.187.227.55​Previously Malicious