IP Address: 5.161.48.51Previously Malicious
IP Address: 5.161.48.51Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
SSH Superuser Operation Successful SSH Login Download and Execute Download and Allow Execution |
Associated Attack Servers |
20.58.184.140 35.114.85.240 41.231.127.5 55.123.38.60 77.110.27.17 87.246.210.5 91.203.16.156 103.152.37.54 106.55.188.60 129.94.194.84 153.124.108.27 173.147.59.187 174.27.85.201 179.169.34.38 180.163.166.51 202.90.131.38 204.166.47.245 210.51.253.69 212.89.220.136 240.46.127.26 244.184.40.74 248.29.192.227 248.142.98.168 |
IP Address |
5.161.48.51 |
|
Domain |
- |
|
ISP |
Hetzner Online GmbH |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-17 |
Last seen in Akamai Guardicore Segmentation |
2022-04-20 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 204 times |
Download and Execute |
Process /tmp/ifconfig started listening on ports: 1234, 8087 and 8188 |
Listening |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 104.190.142.141:2222, 104.21.25.86:443, 104.248.36.230:1234, 116.239.92.141:80, 116.239.92.141:8080, 122.19.206.116:80, 122.19.206.116:8080, 126.119.27.90:80, 126.119.27.90:8080, 130.204.176.113:80, 130.204.176.113:8080, 132.14.6.21:80, 132.14.6.21:8080, 132.33.216.152:80, 132.33.216.152:8080, 137.40.230.158:2222, 14.147.247.197:22, 14.218.100.176:2222, 14.220.147.163:2222, 142.201.20.14:22, 147.66.92.111:80, 147.66.92.111:8080, 148.75.210.41:80, 148.75.210.41:8080, 15.116.78.151:1234, 151.113.37.78:80, 151.113.37.78:8080, 152.75.17.244:80, 152.75.17.244:8080, 153.43.179.172:80, 153.43.179.172:8080, 158.120.190.64:80, 158.120.190.64:8080, 160.214.236.173:22, 167.20.206.200:80, 167.20.206.200:8080, 169.69.104.224:80, 169.69.104.224:8080, 172.67.133.228:443, 178.10.48.230:80, 178.10.48.230:8080, 179.80.95.243:80, 179.80.95.243:8080, 188.222.177.27:80, 188.222.177.27:8080, 191.73.87.245:22, 193.194.91.211:1234, 195.114.192.16:2222, 198.180.126.34:2222, 198.226.84.118:80, 198.226.84.118:8080, 20.130.55.199:80, 20.130.55.199:8080, 209.126.84.239:1234, 212.128.61.12:2222, 220.251.247.154:80, 220.251.247.154:8080, 223.177.239.197:80, 223.177.239.197:8080, 23.233.65.131:80, 23.233.65.131:8080, 24.67.98.111:80, 24.67.98.111:8080, 25.147.21.209:22, 250.248.61.107:2222, 41.210.92.199:80, 41.210.92.199:8080, 44.9.201.226:2222, 61.67.232.116:80, 61.67.232.116:8080, 66.133.168.42:80, 66.133.168.42:8080, 74.109.100.137:80, 74.109.100.137:8080, 79.159.70.72:22, 80.185.17.13:80, 80.185.17.13:8080, 82.88.109.96:2222, 85.205.121.250:80, 85.205.121.250:8080, 89.121.228.38:1234, 89.92.142.36:80, 89.92.142.36:8080, 92.213.126.47:80, 92.213.126.47:8080, 94.153.165.43:1234, 96.212.207.146:80 and 96.212.207.146:8080 |
Outgoing Connection |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig attempted to access suspicious domains: kyivstar.net and rima-tde.net |
Access Suspicious Domain Outgoing Connection |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 2222 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 39 times |
Download and Execute |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 3 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 11 times |
Download and Execute |
Connection was closed due to timeout |
|