IP Address: 34.125.201.213Previously Malicious
IP Address: 34.125.201.213Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation Successful SSH Login Download and Execute Download and Allow Execution |
Associated Attack Servers |
81.70.94.80 82.163.214.12 83.224.155.27 90.23.240.185 95.154.21.210 124.19.150.34 124.221.162.244 146.198.187.131 160.180.184.77 177.195.67.95 246.65.124.223 |
IP Address |
34.125.201.213 |
|
Domain |
- |
|
ISP |
|
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-07 |
Last seen in Akamai Guardicore Segmentation |
2022-04-08 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 202 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 101.42.225.97:1234, 104.21.25.86:443, 109.120.201.201:80, 109.120.201.201:8080, 11.236.114.105:80, 11.236.114.105:8080, 111.16.88.62:80, 111.16.88.62:8080, 114.67.243.115:80, 114.67.243.115:8080, 115.16.86.58:80, 115.16.86.58:8080, 115.254.63.51:1234, 116.169.96.230:80, 116.169.96.230:8080, 123.132.238.210:1234, 129.89.52.196:2222, 134.18.218.42:2222, 139.19.136.81:80, 139.19.136.81:8080, 145.114.89.105:80, 145.114.89.105:8080, 150.158.159.119:1234, 151.89.243.149:80, 151.89.243.149:8080, 155.111.252.238:80, 155.111.252.238:8080, 155.57.171.138:2222, 159.140.163.106:80, 159.140.163.106:8080, 159.75.19.149:1234, 165.23.160.242:80, 165.23.160.242:8080, 166.179.250.214:80, 166.179.250.214:8080, 169.62.193.109:80, 169.62.193.109:8080, 172.67.133.228:443, 174.228.159.48:80, 174.228.159.48:8080, 180.26.192.245:2222, 191.22.26.179:80, 191.22.26.179:8080, 193.37.14.173:80, 193.37.14.173:8080, 195.211.82.160:80, 195.211.82.160:8080, 2.186.30.187:2222, 2.73.222.94:22, 202.39.233.104:80, 202.39.233.104:8080, 217.202.194.11:80, 217.202.194.11:8080, 222.233.174.87:80, 222.233.174.87:8080, 244.62.86.193:22, 245.43.103.14:22, 247.214.147.208:80, 247.214.147.208:8080, 27.49.116.75:80, 27.49.116.75:8080, 34.52.179.53:80, 34.52.179.53:8080, 35.90.231.249:80, 35.90.231.249:8080, 43.184.144.140:80, 43.184.144.140:8080, 50.172.215.52:2222, 50.98.222.253:2222, 51.75.146.174:443, 56.195.70.248:2222, 62.189.101.163:22, 66.90.110.58:1234, 68.206.82.44:2222, 69.148.48.178:2222, 7.166.55.185:80, 7.166.55.185:8080, 70.124.108.150:80, 70.124.108.150:8080, 82.39.182.169:80, 82.39.182.169:8080, 89.109.138.238:80, 89.109.138.238:8080, 89.115.86.60:80, 89.115.86.60:8080, 9.110.44.44:22, 95.9.92.14:2222, 99.198.211.86:80 and 99.198.211.86:8080 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8087 and 8180 |
Listening |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 80 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 2222 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 attempted to access suspicious domains: kcell.kz |
Access Suspicious Domain Outgoing Connection |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 36 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 13 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 6 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 6 times |
Download and Execute |
Connection was closed due to timeout |
|