IP Address: 5.255.86.129Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
5.255.86.129​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Download and Execute Download File Superuser Operation SSH Successful SSH Login Download and Allow Execution SFTP Outgoing Connection 21 Shell Commands Bulk Files Tampering

Connect Back Servers

sez.strangled.net ip-54-37-70.eu

46.101.34.80 112.166.68.193 151.80.141.169 185.220.101.70 122.154.253.5 165.227.210.71 96.37.122.54 220.167.247.138 190.7.128.74 222.124.12.57 164.132.199.211 106.12.196.28 5.196.52.173 173.210.1.162 202.72.221.226 58.87.67.226 144.217.85.183 192.144.130.31 41.137.137.92 149.56.96.78 77.55.208.230 45.63.13.251 94.23.0.13 188.166.36.177 139.199.168.184 159.203.141.208 139.59.96.172 202.29.220.114 54.38.182.156 165.22.128.115

Basic Information

IP Address

5.255.86.129

Domain

-

ISP

Serverius Holding B.V.

Country

Netherlands

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-12-01

Last seen in Guardicore Centra

2019-08-07

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/perl generated outgoing network traffic to: 146.185.171.227:443

Outgoing Connection

/tmp/.X13-unix/dota.tar.gz was downloaded

Download File

A possibly malicious Superuser Operation was detected 2 times

Superuser Operation

The file /tmp/.X13-unix/.rsync/1 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.X13-unix/.rsync/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.X13-unix/.rsync/c/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.X13-unix/.rsync/c/aptitude was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.firefoxcatche/a/upd was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.X13-unix/.rsync/c/n was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.firefoxcatche/a/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.firefoxcatche/b/sync was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.firefoxcatche/a/cron was downloaded and executed 8 times

Download and Execute

Process /root/.firefoxcatche/a/cron generated outgoing network traffic to: 5.255.86.129:80

Outgoing Connection

Process /usr/bin/perl generated outgoing network traffic to: 5.255.86.125:443

Outgoing Connection

The file /root/.firefoxcatche/b/ps was downloaded and executed

Download and Execute

Connection was closed due to timeout

Process /bin/tar performed bulk changes in {/} on 48 files

Bulk Files Tampering

Associated Files

/var/tmp/x/haiduc.filepart

SHA256: 6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4

1040592 bytes

/usr/local/bin/srsync.sh

SHA256: c9bd0154342a966efc86fb700a844e596c1daaa6d7a44e73da8553edb1887a5a

109 bytes

/usr/local/bin/srsync.sh

SHA256: 3c475448c2405b6a4608993cb513d2914da6453b86281fd526b8ea2e9e5ae089

72 bytes

/tmp/.X15-unix/.rsync/a/cron

SHA256: 4efec3c7b33fd857bf8ef38e767ac203167d842fdecbeee29e30e044f7c6e33d

1666120 bytes

/tmp/.X15-unix/dota2.tar.gz

SHA256: 45d985035e68d09deeea137ecd75ac1622e35202f411c5d0b5d51d9ee42b2a84

2612902 bytes

/tmp/.x15cache

SHA256: 3973940fd949ccb944d8ff160a7c7d08aa5d3f4eadd67a0e5d41fe0bffebb469

308 bytes

/tmp/.X15-unix/dota2.tar.gz

SHA256: 86ab0b3a7f7a8ff5a40199289b975a91a58d2c0b1d0893cf8d8e6923b17039ee

2607517 bytes

/tmp/.X15-unix/dota2.tar.gz

SHA256: da2ecb3d16c554c2bdec2b61ffbec6bfa460ef1697407e62fd427d936a33e5e9

2613049 bytes

/tmp/lan.sh

SHA256: 75f5d5c5fc34ce708d91ccecb0aed9013975c143d15b4e9e6a7d15e2f0e28dc3

530 bytes

/tmp/.mountfs/dota.tar.gz

SHA256: 57e4a624fa138786ec9d36849a981955b2c35afa1d796eb9653f3ba4f4194332

103315 bytes

/tmp/.sparky/sslm.tar.gz

SHA256: 0fbb306f4ee08dd47c67103cb3b885e8fee6a34edc181fe15282dafc37a4e8fe

1019755 bytes

/tmp/.sparky/sslm.tar.gz

SHA256: 8bb3bbf7bc963ab9c451bd14ef68e74263d8f61d40a14c57bc85463dcdb15a69

1019183 bytes

/tmp/.sparky/sslm.tar.gz

SHA256: f4a32c4649d114007b3f7f652e29fa1207737cf5da3dbf58323700569d436e2b

314468 bytes

/tmp/.sparky/sslm.tar.gz

SHA256: f031edb4f7b6284654c44141b32901a23aae250b33d3f1b9774ed46ee860a743

784580 bytes

/tmp/.mountfs/dota.tar.gz

SHA256: 7e28211d313bd9ba00956f09733c71783173c26e1b4e99708dff7138b9fced2a

58161 bytes

/tmp/.X15-unix/dota2.tar.gz

SHA256: c8cae37e3320a1c1f3079fa6d13b62e03156bb17a1a054e3a6d8509c815e8c3b

2612929 bytes

/tmp/clean

SHA256: cff87d580362f883610cd60d124563cb6ddec218d432c9c2d5f2e3d074ae94a2

1972 bytes

/tmp/.mountfs/dota.tar.gz

SHA256: 278ad6cce8bb90ab1933cfecb3006f8c54e555b4c19e57a6ea3e5765d5994b18

103315 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 5.255.86.129​Previously Malicious