IP Address: 45.91.101.218Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
45.91.101.218​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

Download and Allow Execution Successful SSH Login Superuser Operation 1 Shell Commands Executable File Modification System File Modification Service Creation DNS Query Bulk Files Tampering Service Configuration Outgoing Connection Service Deletion SSH

Associated Attack Servers

www.speedtest.net archive.ubuntu.com raw.githubusercontent.com kanren.net hb.from-ks.com speedtest-wichita.kanren.net quilounges.com canonical.com speedtest.ideatek.com havilandtelco.com speedtest.rd.ks.cox.net hbcomm.net myspeed.giantcomm.net

198.241.62.98 151.101.0.133 74.115.39.234 91.189.88.142 151.101.2.219 45.95.168.152 64.71.219.236 164.113.60.33 91.189.88.152 184.182.243.153

Basic Information

IP Address

45.91.101.218

Domain

-

ISP

-

Country

Germany

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2020-08-15

Last seen in Guardicore Centra

2020-09-14

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

A possibly malicious Superuser Operation was detected 2 times

Superuser Operation

Process /usr/bin/apt-get attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com

DNS Query

Process /usr/bin/apt-get generated outgoing network traffic to: 91.189.88.152:80

Outgoing Connection

System file /etc/screenrc was modified 16 times

System File Modification

System file /etc/init.d/screen-cleanup was modified 16 times

System File Modification

The file /etc/init.d/screen-cleanup was downloaded and granted execution privileges

Executable file /usr/bin/screen was modified 16 times

Executable File Modification

The file /usr/bin/screen was downloaded and granted execution privileges

The file /usr/share/screen was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/screen/utf8encodings was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/doc/screen was downloaded and granted execution privileges

The file /usr/share/doc/screen/examples was downloaded and granted execution privileges

The file /usr/share/doc/screen/terminfo was downloaded and granted execution privileges

Download and Allow Execution

System file /etc/shells.tmp was modified 16 times

System File Modification

Service S02screen-cleanup was created

Service Creation

Service screen-cleanup was created

Service Creation

Service screen-cleanup.dpkg-new was created

Service Creation

System file /etc/init.d/.depend.boot was modified 4 times

System File Modification

System file /etc/init.d/.depend.start was modified 4 times

System File Modification

System file /etc/init.d/.depend.stop was modified 4 times

System File Modification

Connection was closed due to user inactivity

Process /usr/bin/dpkg performed bulk changes in {/usr} on 65 files

Bulk Files Tampering

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 45.91.101.218​Malicious