IP Address: 54.37.70.249Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
54.37.70.249​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

SSH

Tags

Port 22 Scan Download File Download and Execute HTTP Log Tampering Download Operation Outgoing Connection Scheduled Task Creation Successful SSH Login Bulk Files Tampering Download and Allow Execution 5 Shell Commands SSH Access Suspicious Domain

Associated Attack Servers

ip-213-32-91.eu ip-54-37-70.eu sez.strangled.net poneytelecom.eu

159.65.106.35 118.24.255.191 129.204.119.243 5.196.1.129 91.121.51.120 182.162.96.185 104.248.174.126 167.99.220.199 104.248.182.179 80.200.200.132 112.35.45.62 163.5.245.178 145.239.89.243 201.161.58.232 183.111.188.93 198.245.50.81 213.183.101.89 144.217.15.161 186.81.30.184 118.126.105.120 190.128.168.78 139.59.13.223 111.230.64.83 222.124.12.57 181.198.86.24 193.112.191.228 51.38.176.147 180.179.227.201 141.223.34.116 104.236.52.94

Basic Information

IP Address

54.37.70.249

Domain

-

ISP

OVH SAS

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-08-16

Last seen in Guardicore Centra

2020-09-13

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected

Download Operation

History File Tampering detected from /bin/bash 2 times

Log Tampering

Process /usr/bin/wget generated outgoing network traffic to: 54.37.70.249:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-54-37-70.eu

Access Suspicious Domain Outgoing Connection

/tmp/.mountfs/dota.tar.gz was downloaded

Download File

The file /tmp/.mountfs/.rsync/init0 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.mountfs/.rsync/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.mountfs/.rsync/c/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.ttp/a/upd was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.ttp/a/dir.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.mountfs/.rsync/c/aptitude was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/.mountfs/.rsync/c/n was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.ttp/b/sync was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.ttp/a/crond64 was downloaded and executed 8 times

Download and Execute

Process /root/.ttp/a/crond64 generated outgoing network traffic to: 107.191.99.221:80

Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 141.85.241.113:80

Outgoing Connection

/tmp/.mountfs/.rsync/c/xtr was downloaded

Download File

Process /usr/bin/wget generated outgoing network traffic to: 213.32.91.37:80 2 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-213-32-91.eu 2 times

Access Suspicious Domain Outgoing Connection

/tmp/.mountfs/.rsync/c/ip was downloaded

Download File

/tmp/.mountfs/.rsync/c/p was downloaded

Download File

The file /tmp/.mountfs/.rsync/c/lib/64/tsm was downloaded and executed 126 times

Download and Execute

Process /tmp/.mountfs/.rsync/c/lib/64/tsm generated outgoing network traffic to: 101.251.112.62:22, 103.108.140.192:22, 103.245.167.108:22, 108.179.224.123:22, 108.187.42.36:22, 111.235.138.237:22, 119.133.86.72:22, 123.60.213.6:22, 128.97.31.233:22, 129.49.76.86:22, 13.208.113.231:22, 13.230.185.124:22, 13.57.214.60:22, 130.193.85.74:22, 138.91.121.250:22, 139.162.141.114:22, 140.82.19.78:22, 142.11.229.130:22, 142.252.4.234:22, 142.93.40.42:22, 143.191.128.188:22, 143.191.38.8:22, 148.247.182.96:22, 149.56.175.44:22, 154.214.97.37:22, 157.7.166.191:22, 158.85.185.245:22, 159.65.0.77:22, 162.212.171.88:22, 167.114.133.84:22, 172.93.156.201:22, 173.201.82.40:22, 178.62.238.41:22, 18.191.247.100:22, 18.236.172.192:22, 184.173.18.107:22, 188.125.19.222:22, 188.166.107.203:22, 188.218.14.184:22, 192.207.12.62:22, 192.52.242.52:22, 192.81.218.17:22, 195.68.11.79:22, 198.199.101.24:22, 206.189.214.189:22, 209.59.189.53:22, 209.97.176.169:22, 213.32.27.118:22, 216.129.207.150:22, 23.102.224.63:22, 34.229.76.175:22, 34.76.141.48:22, 35.156.180.69:22, 35.160.189.37:22, 35.190.210.181:22, 35.199.118.90:22, 35.204.114.160:22, 35.222.239.43:22, 35.228.99.26:22, 35.230.182.44:22, 37.187.107.171:22, 45.32.107.153:22, 5.148.171.160:22, 5.63.153.92:22, 50.62.50.211:22, 50.62.71.136:22, 50.87.108.118:22, 51.136.25.157:22, 51.15.245.23:22, 52.166.106.52:22, 52.18.211.220:22, 52.2.176.140:22, 52.221.190.190:22, 52.224.234.75:22, 52.246.182.124:22, 52.41.64.212:22, 52.76.112.9:22, 54.179.165.107:22, 63.209.33.189:22, 64.30.133.1:22, 68.183.213.231:22, 74.208.95.150:22, 74.50.48.131:22, 76.80.103.78:22, 77.222.54.249:22, 80.78.255.42:22, 80.86.30.41:22, 82.118.17.127:22, 82.165.181.79:22, 87.106.238.143:22, 88.212.128.49:22, 88.212.253.51:22, 88.99.173.227:22, 88.99.239.241:22 and 93.170.129.186:22

Process /tmp/.mountfs/.rsync/c/lib/64/tsm scanned port 22 on 95 IP Addresses

Port 22 Scan

Connection was closed due to timeout

Process /bin/tar performed bulk changes in {/} on 55 files

Bulk Files Tampering

Associated Files

/var/tmp/x/haiduc.filepart

SHA256: 6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4

1040592 bytes

/usr/local/bin/srsync.sh

SHA256: c9bd0154342a966efc86fb700a844e596c1daaa6d7a44e73da8553edb1887a5a

109 bytes

/usr/local/bin/srsync.sh

SHA256: 3c475448c2405b6a4608993cb513d2914da6453b86281fd526b8ea2e9e5ae089

72 bytes

/tmp/vps

SHA256: d4acf9dcdcb6e3678820f1c8435a58a9a996a156ccbf55155ed57a1e0cceff2e

35168 bytes

/tmp/.X15-unix/.rsync/a/cron

SHA256: 4efec3c7b33fd857bf8ef38e767ac203167d842fdecbeee29e30e044f7c6e33d

1666120 bytes

/tmp/.X15-unix/dota2.tar.gz

SHA256: 45d985035e68d09deeea137ecd75ac1622e35202f411c5d0b5d51d9ee42b2a84

2612902 bytes

/tmp/.x15cache

SHA256: 3973940fd949ccb944d8ff160a7c7d08aa5d3f4eadd67a0e5d41fe0bffebb469

308 bytes

/tmp/.X15-unix/dota2.tar.gz

SHA256: 86ab0b3a7f7a8ff5a40199289b975a91a58d2c0b1d0893cf8d8e6923b17039ee

2607517 bytes

/tmp/.X15-unix/dota2.tar.gz

SHA256: da2ecb3d16c554c2bdec2b61ffbec6bfa460ef1697407e62fd427d936a33e5e9

2613049 bytes

/tmp/lan.sh

SHA256: 75f5d5c5fc34ce708d91ccecb0aed9013975c143d15b4e9e6a7d15e2f0e28dc3

530 bytes

/tmp/.mountfs/dota.tar.gz

SHA256: 57e4a624fa138786ec9d36849a981955b2c35afa1d796eb9653f3ba4f4194332

103315 bytes

/tmp/.sparky/sslm.tar.gz

SHA256: 0fbb306f4ee08dd47c67103cb3b885e8fee6a34edc181fe15282dafc37a4e8fe

1019755 bytes

/tmp/.sparky/sslm.tar.gz

SHA256: 8bb3bbf7bc963ab9c451bd14ef68e74263d8f61d40a14c57bc85463dcdb15a69

1019183 bytes

/tmp/.sparky/sslm.tar.gz

SHA256: f4a32c4649d114007b3f7f652e29fa1207737cf5da3dbf58323700569d436e2b

314468 bytes

/tmp/.sparky/sslm.tar.gz

SHA256: f031edb4f7b6284654c44141b32901a23aae250b33d3f1b9774ed46ee860a743

784580 bytes

/tmp/.mountfs/dota.tar.gz

SHA256: 7e28211d313bd9ba00956f09733c71783173c26e1b4e99708dff7138b9fced2a

58161 bytes

/tmp/.X15-unix/dota2.tar.gz

SHA256: c8cae37e3320a1c1f3079fa6d13b62e03156bb17a1a054e3a6d8509c815e8c3b

2612929 bytes

/tmp/clean

SHA256: cff87d580362f883610cd60d124563cb6ddec218d432c9c2d5f2e3d074ae94a2

1972 bytes

/tmp/tddwrt7s.sh

SHA256: 5a877e5bf198fb6278816547f884c599db4b190f263b290253f4f38e3bbaf0d9

1230 bytes

/tmp/.mountfs/dota.tar.gz

SHA256: 6327cb08da53cce60756c841db87625d123862b8498023bf6279a6ab29179cd9

7672005 bytes

/tmp/.mountfs/dota.tar.gz

SHA256: 278ad6cce8bb90ab1933cfecb3006f8c54e555b4c19e57a6ea3e5765d5994b18

103315 bytes

/tmp/.mountfs/dota.tar.gz

SHA256: 8f81ce25374a75e3ca8c743229e39608f4a6385401e60b431614c1d669cc9e92

7543447 bytes

/root/.ttp/a/upd

SHA256: 106d07d81e1feb3619cc41a73b51b7dfacae39669bfb1c041de44596ea887168

172 bytes

/tmp/.mountfs/.rsync/c/aptitude

SHA256: 2fd75ca04ac5a3691a79cc505c279bf4fed8cd576f88689565243011dcf87a36

54 bytes

/root/.ttp/a/crond64

SHA256: e8974dfbf0502f0091d9c05b4e0d91b7c769f6a4a1a412edeb2869badb5d79a8

2757656 bytes

/tmp/rsync

SHA256: 26ff0e06768d296e775675970cbe736b179d65b10e61c20103418b68b4232698

40490 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 54.37.70.249​Malicious