IP Address: 23.21.27.48Previously Malicious
IP Address: 23.21.27.48Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Port 22 Scan SFTP Download File SSH Successful SSH Login Download and Execute Access Suspicious Domain 1 Shell Commands Outgoing Connection Listening Download and Allow Execution |
Associated Attack Servers |
15.228.148.72 62.210.130.171 119.45.1.175 167.71.160.75 173.212.208.146 190.14.220.3 194.32.78.170 |
IP Address |
23.21.27.48 |
|
Domain |
- |
|
ISP |
Amazon.com |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-09 |
Last seen in Akamai Guardicore Segmentation |
2022-04-09 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
./.2126298163640811670/sshd was downloaded |
Download File |
The file /root/.2126298163640811670/sshd was downloaded and executed 52 times |
Download and Execute |
Process /bin/bash generated outgoing network traffic to: 100.167.12.70:22, 107.142.109.85:22, 11.33.218.217:22, 111.163.21.208:22, 111.92.92.197:22, 114.178.36.16:22, 119.45.1.175:1919, 129.232.112.24:22, 129.240.135.196:22, 129.30.144.228:22, 130.86.87.68:22, 132.137.119.105:22, 134.49.30.142:22, 136.54.145.197:22, 137.75.204.82:22, 138.100.21.163:22, 139.79.37.36:22, 14.66.169.59:22, 141.85.59.124:22, 147.190.32.141:22, 147.215.135.31:22, 15.228.148.72:1919, 152.250.152.136:22, 153.153.102.133:22, 153.60.112.46:22, 155.120.139.27:22, 155.146.215.113:22, 158.231.115.71:22, 16.25.106.8:22, 163.115.79.90:22, 164.88.153.24:22, 167.71.160.75:1919, 173.212.208.146:1919, 175.174.21.52:22, 176.233.39.37:22, 178.32.241.39:22, 179.125.95.153:22, 184.131.85.199:22, 184.232.27.148:22, 186.67.222.10:22, 187.55.178.92:22, 190.14.220.3:1919, 193.204.149.241:22, 194.32.78.170:1919, 196.7.85.159:22, 197.167.88.176:22, 200.40.216.224:22, 202.174.108.244:22, 205.26.240.213:22, 209.131.155.127:22, 210.164.52.6:22, 210.173.32.180:22, 210.81.145.102:22, 212.1.33.79:22, 216.16.215.252:22, 216.32.54.35:22, 219.191.166.15:22, 220.114.159.150:22, 221.228.213.42:22, 24.114.48.143:22, 26.230.168.167:22, 28.174.155.70:22, 4.192.179.190:22, 40.19.248.20:22, 40.44.3.100:22, 47.56.171.202:22, 49.90.44.52:22, 5.208.46.137:22, 55.137.79.185:22, 56.29.37.43:22, 59.102.144.248:22, 59.136.102.2:22, 6.84.73.101:22, 62.210.130.171:1919, 62.8.150.91:22, 64.71.127.165:22, 69.91.86.122:22, 7.34.219.27:22, 71.113.45.210:22, 72.40.124.22:22, 74.217.92.115:22, 76.121.68.229:22, 77.158.11.25:22, 80.5.3.153:22, 84.217.8.86:22, 85.148.57.100:22, 86.148.18.58:22, 86.37.128.236:22, 89.116.196.87:22, 9.21.58.73:22, 90.170.225.99:22, 90.44.239.249:22, 91.109.58.123:22, 91.230.114.140:22, 92.133.109.45:22, 96.230.142.184:22, 97.123.115.8:22, 97.203.189.171:22, 97.41.101.134:22 and 98.198.249.14:22 |
Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: hosted-by-mvps.net, peperstock.com and shadwell.com.pa |
Access Suspicious Domain Outgoing Connection |
Process /bin/bash scanned port 22 on 93 IP Addresses |
Port 22 Scan |
Process /bin/bash started listening on ports: 1919 and 22 |
Listening |
Connection was closed due to timeout |
|
/root/.7379801795806889998/sshd |
SHA256: c972bbb9eada1f861e8eb91b08f067f90d832461997f3a34d88f6d7d92739c45 |
30312568 bytes |