IP Address: 3.237.240.103Previously Malicious
IP Address: 3.237.240.103Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection Access Suspicious Domain Listening |
Associated Attack Servers |
ertelecom.ru internetia.net.pl teol.net 8.195.246.243 13.157.162.139 14.143.180.147 14.173.251.65 19.204.92.140 30.109.172.32 64.78.88.61 80.147.162.151 81.93.68.14 82.157.139.183 83.143.96.74 92.153.38.50 100.3.230.245 103.60.137.111 103.120.223.29 123.205.23.120 133.85.141.40 165.139.215.17 185.129.50.53 188.134.70.136 196.195.1.95 202.61.203.229 204.128.14.156 |
IP Address |
3.237.240.103 |
|
Domain |
- |
|
ISP |
Amazon.com |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-14 |
Last seen in Akamai Guardicore Segmentation |
2022-04-20 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 100.3.230.245:2222, 103.120.223.29:1234, 104.21.25.86:443, 105.130.65.68:80, 105.130.65.68:8080, 123.205.23.120:22, 13.157.162.139:22, 130.43.203.147:80, 130.43.203.147:8080, 133.85.141.40:22, 14.14.78.86:80, 14.14.78.86:8080, 14.143.180.147:2222, 14.173.251.65:2222, 140.72.229.232:80, 140.72.229.232:8080, 150.92.28.27:80, 150.92.28.27:8080, 152.52.244.111:80, 152.52.244.111:8080, 154.210.129.69:80, 154.210.129.69:8080, 161.107.113.27:1234, 165.139.215.17:2222, 172.67.133.228:443, 185.129.50.53:1234, 188.126.199.210:80, 188.126.199.210:8080, 188.134.70.136:22, 189.99.199.250:80, 189.99.199.250:8080, 19.204.92.140:2222, 19.55.154.87:80, 19.55.154.87:8080, 196.195.1.95:22, 202.138.152.187:80, 202.138.152.187:8080, 202.61.203.229:1234, 204.128.14.156:22, 204.225.174.119:80, 204.225.174.119:8080, 205.35.173.163:80, 205.35.173.163:8080, 213.216.18.32:80, 213.216.18.32:8080, 214.242.190.248:80, 214.242.190.248:8080, 215.132.241.125:80, 215.132.241.125:8080, 23.91.223.153:80, 23.91.223.153:8080, 24.166.215.220:80, 24.166.215.220:8080, 242.47.160.58:80, 242.47.160.58:8080, 245.59.215.240:80, 245.59.215.240:8080, 246.251.145.67:80, 246.251.145.67:8080, 249.91.206.199:80, 249.91.206.199:8080, 30.109.172.32:2222, 33.197.152.217:80, 33.197.152.217:8080, 34.165.63.189:80, 34.165.63.189:8080, 4.230.186.7:80, 4.230.186.7:8080, 41.36.206.238:80, 41.36.206.238:8080, 51.75.146.174:443, 54.86.149.48:80, 54.86.149.48:8080, 57.127.197.159:80, 57.127.197.159:8080, 58.5.84.44:80, 58.5.84.44:8080, 60.157.83.192:80, 60.157.83.192:8080, 64.78.88.61:2222, 73.124.113.248:80, 73.124.113.248:8080, 8.195.246.243:22, 80.147.162.151:1234, 81.46.146.190:80, 81.46.146.190:8080, 81.93.68.14:2222, 82.157.139.183:1234, 83.143.96.74:1234 and 92.153.38.50:2222 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8080 and 8189 |
Listening |
Process /dev/shm/apache2 attempted to access suspicious domains: comcastbusiness.net, goodsrv.de, internetia.net.pl, t-ipconnect.de and vsnl.net.in |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|