IP Address: 52.255.154.41Previously Malicious
IP Address: 52.255.154.41Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Successful SSH Login New SSH Key Access Suspicious Domain Outgoing Connection SSH Brute Force Download and Execute SSH |
Associated Attack Servers |
39.104.172.64 39.105.175.226 42.62.6.200 42.96.170.211 45.33.59.90 47.95.145.40 47.98.121.79 47.104.31.129 47.106.193.74 47.244.107.80 49.73.84.142 49.232.74.172 49.233.64.207 49.234.23.43 49.234.187.186 49.235.65.48 49.235.194.253 58.23.212.41 58.144.209.82 60.248.152.189 61.153.189.179 66.171.248.178 81.68.101.198 103.29.119.125 103.45.102.107 106.54.35.171 106.54.44.220 106.54.101.192 106.75.90.200 |
IP Address |
52.255.154.41 |
|
Domain |
- |
|
ISP |
Microsoft Corporation |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-07-24 |
Last seen in Akamai Guardicore Segmentation |
2020-09-23 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / *********** - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
The file /usr/bin/jghlmz was downloaded and executed 56 times |
Download and Execute |
Process /usr/bin/jghlmz generated outgoing network traffic to: 1.1.1.1:53, 103.29.119.125:22969, 103.45.102.107:46332, 106.54.101.192:43419, 106.54.35.171:40010, 106.54.44.220:45713, 106.75.90.200:37637, 107.170.192.159:8000, 111.229.218.123:36345, 116.255.177.198:39401, 117.26.72.167:54328, 117.73.10.199:39726, 117.73.10.53:36467, 118.24.21.150:42797, 119.45.11.243:46763, 122.51.116.192:33673, 122.51.68.129:35571, 132.232.40.86:38003, 136.144.56.255:80, 154.92.16.22:36759, 154.92.195.134:48506, 173.82.26.51:36363, 175.24.116.161:37796, 176.58.123.25:80, 184.73.125.183:80, 204.237.142.137:80, 208.67.222.222:443, 210.73.207.46:49558, 211.110.1.206:42809, 212.64.34.108:44629, 216.117.227.195:35047, 216.239.32.21:80, 219.148.36.105:46523, 39.104.172.64:46835, 39.105.175.226:9919, 42.96.170.211:48773, 45.33.59.90:44145, 47.104.31.129:45149, 47.106.193.74:46043, 47.98.121.79:42865, 49.232.74.172:39185, 49.233.64.207:38589, 49.234.187.186:35833, 49.234.23.43:34441, 49.235.194.253:34937, 49.235.65.48:33261, 49.73.84.142:53587, 58.23.212.41:44789, 60.248.152.189:60199, 61.153.189.179:48786, 66.171.248.178:80 and 81.68.101.198:39874 |
Outgoing Connection |
Process /usr/bin/jghlmz attempted to access suspicious domains: allwest.net, icanhazip-iad-1, ident.me, one.one and usib.tv |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made 25 times |
New SSH Key |