Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 51.178.215.203Previously Malicious

IP Address: 51.178.215.203Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

Download and Allow Execution HTTP Successful SSH Login Download Operation Access Suspicious Domain 2 Shell Commands Download File Outgoing Connection Download and Execute SSH

Associated Attack Servers

ip-51-178-166.eu ip-51-178-225.eu

51.178.166.165 51.178.225.200 130.185.72.93 130.185.75.34 171.22.24.217 171.22.25.97 185.110.189.19 185.110.189.37 185.110.190.89 185.110.190.125

Basic Information

IP Address

51.178.215.203

Domain

-

ISP

OVH SAS

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2020-09-28

Last seen in Akamai Guardicore Segmentation

2020-10-22

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 4 times

Download Operation

Process /usr/bin/wget generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

/tmp/GhOul.sh was downloaded

Download File

The file /tmp/GhOul.sh was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

The file /tmp/m-i.p-s.GHOUL was downloaded and granted execution privileges 2 times

Download and Allow Execution

Process /usr/local/bin/dash generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

The file /tmp/m-p.s-l.GHOUL was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/local/bin/dash generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

/tmp/s-h.4-.GHOUL was downloaded

Download File

The file /tmp/s-h.4-.GHOUL was downloaded and granted execution privileges

Process /usr/local/bin/dash generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

The file /tmp/x-8.6-.GHOUL was downloaded and executed 4 times

Download and Execute

Process /tmp/x-8.6-.GHOUL generated outgoing network traffic to: 51.178.225.200:3333

Outgoing Connection

Process /tmp/x-8.6-.GHOUL attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

Process /usr/local/bin/dash generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

The file /tmp/a-r.m-7.GHOUL was downloaded and granted execution privileges

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password

Successful SSH Login

Process /usr/bin/wget generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

The file /tmp/GhOul.sh was downloaded and granted execution privileges

Process /usr/local/bin/dash generated outgoing network traffic to: 51.178.225.200:80 3 times

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: ip-51-178-225.eu 3 times

Access Suspicious Domain Outgoing Connection

Process /usr/local/bin/dash generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

The file /tmp/m-p.s-l.GHOUL was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/bin/wget generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

Process /usr/local/bin/dash generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/local/bin/dash attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

/tmp/x-3.2-.GHOUL was downloaded

Download File

The file /tmp/x-3.2-.GHOUL was downloaded and executed 2 times

Download and Execute

Process /usr/bin/wget generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

The file /tmp/a-r.m-7.GHOUL was downloaded and granted execution privileges

Process /usr/bin/wget generated outgoing network traffic to: 51.178.225.200:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-178-225.eu

Access Suspicious Domain Outgoing Connection

The file /tmp/p-p.c-.GHOUL was downloaded and granted execution privileges

Download and Allow Execution

Connection was closed due to timeout