IP Address: 51.178.137.178Previously Malicious
IP Address: 51.178.137.178Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Port 2222 Scan Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
ntust.edu.tw opsourcecloud.net 4.17.57.248 12.23.46.220 12.79.84.160 22.186.238.76 24.181.95.161 38.161.212.225 49.233.60.34 61.37.115.250 78.28.7.25 80.74.168.249 92.139.182.71 93.210.51.157 95.92.212.66 101.116.246.219 103.138.164.13 113.176.83.159 120.136.134.153 120.197.154.22 122.245.174.16 124.223.72.11 130.185.112.73 139.238.248.221 140.118.114.127 167.202.180.218 171.46.168.178 198.46.53.184 211.219.119.13 212.78.166.140 222.15.217.14 |
IP Address |
51.178.137.178 |
|
Domain |
- |
|
ISP |
OVH SAS |
|
Country |
France |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-18 |
Last seen in Akamai Guardicore Segmentation |
2022-12-07 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 101.116.246.219:22, 102.88.149.213:80, 102.88.149.213:8080, 104.21.25.86:443, 111.15.139.32:80, 111.15.139.32:8080, 113.176.83.159:1234, 116.125.84.208:2222, 120.197.154.22:1234, 121.21.8.125:80, 121.21.8.125:8080, 122.178.200.216:2222, 122.245.174.16:22, 130.105.55.215:80, 130.105.55.215:8080, 130.45.208.98:80, 130.45.208.98:8080, 134.241.69.84:80, 134.241.69.84:8080, 138.68.144.226:80, 138.68.144.226:8080, 140.118.114.127:1234, 142.29.134.162:80, 142.29.134.162:8080, 146.144.203.214:80, 146.144.203.214:8080, 15.55.21.187:80, 15.55.21.187:8080, 150.107.95.20:1234, 153.226.133.88:80, 153.226.133.88:8080, 153.235.241.153:2222, 156.117.141.36:80, 156.117.141.36:8080, 156.144.46.70:2222, 159.61.37.213:80, 159.61.37.213:8080, 16.118.15.146:80, 16.118.15.146:8080, 167.244.39.119:2222, 171.188.241.211:80, 171.188.241.211:8080, 172.67.133.228:443, 175.162.151.105:2222, 179.174.208.175:80, 179.174.208.175:8080, 181.14.228.175:80, 181.14.228.175:8080, 184.220.99.175:80, 184.220.99.175:8080, 192.216.214.178:80, 192.216.214.178:8080, 194.141.226.238:80, 194.141.226.238:8080, 199.9.150.159:2222, 21.50.159.104:80, 21.50.159.104:8080, 210.49.234.4:2222, 211.219.119.13:1234, 212.78.166.140:1234, 223.65.126.171:80, 223.65.126.171:8080, 24.181.95.161:22, 24.71.164.90:80, 24.71.164.90:8080, 27.47.113.176:80, 27.47.113.176:8080, 36.233.85.159:80, 36.233.85.159:8080, 38.220.78.74:80, 38.220.78.74:8080, 47.206.43.35:80, 47.206.43.35:8080, 51.44.212.110:80, 51.44.212.110:8080, 51.75.146.174:443, 63.10.27.40:80, 63.10.27.40:8080, 66.173.188.217:2222, 78.28.7.25:22, 80.74.168.249:1234, 87.253.204.118:80, 87.253.204.118:8080, 90.86.199.79:2222, 92.227.157.103:80, 92.227.157.103:8080, 95.6.8.229:80, 95.6.8.229:8080 and 95.92.212.66:22 |
Outgoing Connection |
Process /dev/shm/apache2 attempted to access suspicious domains: neobee.net, netcabo.pt, ntust.edu.tw and petrus.pl |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8084 and 8189 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|