Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 52.130.81.35Previously Malicious

IP Address: 52.130.81.35Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

New SSH Key SSH SSH Brute Force Outgoing Connection Access Suspicious Domain Successful SSH Login Download and Execute

Associated Attack Servers

ident.me

14.29.196.126 23.55.220.59 39.105.187.175 47.95.196.235 47.104.252.215 49.232.99.199 49.232.163.176 49.233.189.198 49.234.62.76 49.234.122.134 49.234.197.216 50.19.206.143 66.171.248.178 68.183.186.25 106.52.133.125 106.53.52.246 106.53.74.231 106.53.108.192 106.54.0.80 111.229.242.150 111.230.251.247 111.231.84.107 111.231.197.120 115.159.220.112 116.202.55.106 118.24.18.164 118.25.98.162 119.27.166.148 119.29.2.120

Basic Information

IP Address

52.130.81.35

Domain

-

ISP

Shanghai Blue Cloud Technology Co.,Ltd

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2020-04-12

Last seen in Akamai Guardicore Segmentation

2020-07-23

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

SSH Brute Force Successful SSH Login

The file /usr/bin/dahdzu was downloaded and executed 46 times

Download and Execute

Process /usr/bin/dahdzu generated outgoing network traffic to: 1.1.1.1:53, 106.52.133.125:46139, 106.53.108.192:43137, 106.53.52.246:46863, 106.53.74.231:35899, 106.54.0.80:34630, 111.229.242.150:38398, 111.230.251.247:34911, 111.231.197.120:43572, 111.231.84.107:36662, 115.159.220.112:47655, 116.202.55.106:80, 118.24.18.164:43215, 118.25.98.162:42895, 119.27.166.148:36185, 119.29.2.120:34462, 120.77.50.237:24880, 120.77.57.50:35523, 120.92.104.149:28127, 122.51.80.13:42906, 122.51.88.172:33873, 123.206.18.36:32337, 123.207.3.213:34072, 129.204.103.141:41826, 139.155.17.53:43568, 139.155.74.38:40090, 14.29.196.126:38630, 140.143.240.59:39080, 149.129.103.50:44894, 175.24.22.178:46074, 176.58.123.25:80, 180.108.64.5:44619, 208.67.222.222:443, 212.129.154.177:37965, 212.64.34.108:44629, 216.239.32.21:80, 216.239.34.21:80, 218.201.70.103:30524, 219.149.105.246:37338, 223.203.98.166:34195, 23.55.220.59:80, 39.105.187.175:44963, 47.104.252.215:6081, 47.95.196.235:35381, 49.232.163.176:41405, 49.232.99.199:44956, 49.233.189.198:32949, 49.234.122.134:36241, 49.234.197.216:40909, 49.234.62.76:45949, 50.19.206.143:80, 66.171.248.178:80 and 68.183.186.25:8000

Outgoing Connection

Process /usr/bin/dahdzu attempted to access suspicious domains: icanhazip.com, ident.me and one.one

Access Suspicious Domain Outgoing Connection

Connection was closed due to timeout

An attempt to download /root/.ssh/authorized_keys was made 25 times

New SSH Key