IP Address: 47.101.164.72Malicious
IP Address: 47.101.164.72Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Executable File Modification SSH Download and Execute Download and Allow Execution Successful SSH Login Read Password Secrets New SSH Key Service Restart Scheduled Task Creation Outgoing Connection System File Modification Access Suspicious Domain Listening |
Associated Attack Servers |
163data.com.cn amazonaws.com hwclouds-dns.com 8.219.174.17 8.222.172.255 34.204.96.18 39.105.148.252 39.105.219.109 39.107.70.17 43.155.163.36 47.93.6.152 47.108.62.190 47.109.100.221 47.109.108.202 47.115.215.48 47.120.32.253 59.36.168.106 103.9.134.247 103.165.46.42 106.14.4.246 111.229.252.74 116.148.201.142 120.78.88.155 121.41.201.112 139.9.238.80 139.155.3.20 150.158.170.217 182.86.188.5 182.92.148.194 207.174.22.224 218.108.40.11 223.83.147.247 |
IP Address |
47.101.164.72 |
|
Domain |
- |
|
ISP |
- |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2023-11-11 |
Last seen in Akamai Guardicore Segmentation |
2023-11-11 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/bash generated outgoing network traffic to: 150.158.170.217:60116 |
Outgoing Connection |
System file /etc/crontab was modified 9 times |
System File Modification |
Executable file /usr/bin/wgbtx was modified |
Executable File Modification |
The file /tmp/YkKwE1xowA was downloaded and executed 14 times |
Download and Execute |
Process /tmp/YkKwE1xowA started listening on ports: 60129 |
Listening |
System file /etc/ssh/sshd_config was modified 4 times |
System File Modification |
Process /tmp/YkKwE1xowA generated outgoing network traffic to: 103.165.46.42:60110, 106.14.4.246:60108, 111.229.252.74:60102, 116.148.201.142:60127, 120.78.88.155:60144, 121.41.201.112:60130, 139.155.3.20:60106, 139.9.238.80:60114, 150.158.170.217:60116, 182.86.188.5:60107, 182.92.148.194:60125, 207.174.22.224:60119, 218.108.40.11:60134, 223.83.147.247:60139, 34.204.96.18:60134, 39.105.148.252:60125, 39.105.219.109:60108, 39.107.70.17:60118, 43.155.163.36:60111, 47.101.164.72:60119, 47.108.62.190:60136, 47.109.100.221:60134, 47.109.108.202:60110, 47.115.215.48:60103, 47.120.32.253:60112, 47.93.6.152:60128, 59.36.168.106:60134, 8.219.174.17:60131 and 8.222.172.255:60117 |
Outgoing Connection |
Process /usr/sbin/sshd started listening on ports: 22 |
Listening |
The file /tmp/bash was downloaded and executed |
Download and Execute |
Process /tmp/YkKwE1xowA attempted to access suspicious domains: hwclouds-dns.com |
Outgoing Connection Access Suspicious Domain |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |
/tmp/bash |
SHA256: 38e8e575344d9c429d0ac96c7bae8500758a442c6347579e83d04d084abb3877 |
558904 bytes |
/tmp/zDRdT6kQR5 |
SHA256: 976e3772ffea7499f7c119e956a5a71806f8f054caf174978fa888b254dd22a0 |
1458464 bytes |