IP Address: 50.250.21.164Previously Malicious
IP Address: 50.250.21.164Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Port 22 Scan 12 Shell Commands SSH Access Suspicious Domain Download and Allow Execution Successful SSH Login Listening Port 2222 Scan Download and Execute Outgoing Connection |
Associated Attack Servers |
3.17.11.48 13.90.45.216 78.5.170.222 103.9.134.247 121.155.49.93 |
IP Address |
50.250.21.164 |
|
Domain |
- |
|
ISP |
Comcast Business |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-05-28 |
Last seen in Akamai Guardicore Segmentation |
2020-07-17 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password |
Successful SSH Login |
The file /tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /tmp/nginx was downloaded and executed 120 times |
Download and Execute |
Process /tmp/nginx scanned port 22 on 46 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /tmp/nginx scanned port 22 on 39 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /tmp/nginx scanned port 2222 on 46 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /tmp/nginx started listening on ports: 1234 |
Listening |
Process /tmp/nginx generated outgoing network traffic to: 102.200.251.147:22, 102.200.251.147:2222, 104.194.114.201:22, 104.194.114.201:2222, 105.196.105.43:22, 105.207.211.17:22, 111.75.96.172:2222, 115.233.131.78:2222, 12.103.224.220:2222, 121.155.49.93:1234, 129.41.44.243:22, 129.41.44.243:2222, 13.65.198.71:22, 13.90.45.216:1234, 132.51.201.23:22, 132.51.201.23:2222, 135.227.90.131:22, 135.227.90.131:2222, 140.29.39.233:22, 140.29.39.233:2222, 143.199.222.59:22, 144.84.70.54:22, 144.84.70.54:2222, 146.148.135.129:2222, 149.136.203.31:22, 15.11.223.136:22, 15.11.223.136:2222, 15.170.205.113:22, 158.237.228.223:22, 159.2.220.133:22, 159.2.220.133:2222, 169.164.117.219:22, 169.164.117.219:2222, 17.185.77.245:2222, 175.81.105.148:22, 179.61.87.63:22, 179.61.87.63:2222, 180.226.170.182:22, 180.226.170.182:2222, 182.209.144.13:22, 182.209.144.13:2222, 184.168.146.72:22, 184.19.78.116:22, 184.19.78.116:2222, 192.249.129.100:22, 192.249.129.100:2222, 194.168.149.134:22, 194.227.83.19:22, 194.227.83.19:2222, 197.17.26.199:22, 208.121.15.190:22, 208.121.15.190:2222, 215.89.85.132:22, 216.25.146.211:2222, 243.119.159.150:22, 249.202.173.31:22, 249.202.173.31:2222, 253.145.4.201:2222, 253.166.50.79:2222, 27.115.6.228:22, 29.182.46.13:2222, 3.17.11.48:1234, 33.241.78.208:22, 4.172.32.147:22, 4.172.32.147:2222, 49.177.193.57:22, 49.177.193.57:2222, 5.253.246.73:2222, 50.112.229.29:22, 50.135.191.115:22, 50.135.191.115:2222, 50.250.21.164:1234, 55.248.169.140:22, 55.248.169.140:2222, 55.251.199.41:22, 61.191.21.111:22, 61.238.64.247:22, 61.238.64.247:2222, 61.46.39.69:22, 61.46.39.69:2222, 72.56.26.45:2222, 76.180.147.128:22, 76.180.147.128:2222, 85.130.156.83:22, 85.130.156.83:2222, 86.70.216.226:2222, 87.109.168.188:22 and 87.109.168.188:2222 |
Outgoing Connection |
Process /tmp/nginx scanned port 2222 on 39 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /tmp/nginx attempted to access suspicious domains: comcastbusiness.net |
Access Suspicious Domain Outgoing Connection |
The file /tmp/php-fpm was downloaded and executed 17 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 3 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and granted execution privileges |
Download and Allow Execution |
The file /tmp/php-fpm was downloaded and executed 5 times |
Download and Execute |
Connection was closed due to timeout |
|