IP Address: 54.37.70.249Malicious
Weekly Summary
Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network
Top Threats
Cyber Threat Intelligence
Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed
IP Address:
54.37.70.249
Malicious
This IP address attempted an attack on a machine protected by Guardicore Centra
Threat Information
|
Role |
Attacker, Connect-Back, Scanner |
|
Services Targeted |
SSH |
|
Tags |
Port 22 Scan Download File Download and Execute HTTP Log Tampering Download Operation Outgoing Connection Scheduled Task Creation Successful SSH Login Bulk Files Tampering Download and Allow Execution 5 Shell Commands SSH Access Suspicious Domain |
|
Associated Attack Servers |
ip-213-32-91.eu ip-54-37-70.eu sez.strangled.net poneytelecom.eu 159.65.106.35 118.24.255.191 129.204.119.243 5.196.1.129 91.121.51.120 182.162.96.185 104.248.174.126 167.99.220.199 104.248.182.179 80.200.200.132 112.35.45.62 163.5.245.178 145.239.89.243 201.161.58.232 183.111.188.93 198.245.50.81 213.183.101.89 144.217.15.161 186.81.30.184 118.126.105.120 190.128.168.78 139.59.13.223 111.230.64.83 222.124.12.57 181.198.86.24 193.112.191.228 51.38.176.147 180.179.227.201 141.223.34.116 104.236.52.94 |
Basic Information
|
IP Address |
54.37.70.249 |
|
|
Domain |
- |
|
|
ISP |
OVH SAS |
|
|
Country |
France |
|
|
WHOIS |
Created Date |
- |
|
Updated Date |
- |
|
|
Organization |
- |
|
|
First seen in Guardicore Centra |
2018-08-16 |
|
Last seen in Guardicore Centra |
2020-09-13 |
What is Guardicore CentraGuardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
Attack Flow
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
|
A possibly malicious Download Operation was detected |
Download Operation |
|
History File Tampering detected from /bin/bash 2 times |
Log Tampering |
|
Process /usr/bin/wget generated outgoing network traffic to: 54.37.70.249:80 |
Outgoing Connection |
|
Process /usr/bin/wget attempted to access suspicious domains: ip-54-37-70.eu |
Access Suspicious Domain Outgoing Connection |
|
/tmp/.mountfs/dota.tar.gz was downloaded |
Download File |
|
The file /tmp/.mountfs/.rsync/init0 was downloaded and granted execution privileges |
Download and Allow Execution |
|
The file /tmp/.mountfs/.rsync/dir.dir was downloaded and granted execution privileges |
Download and Allow Execution |
|
The file /tmp/.mountfs/.rsync/c/dir.dir was downloaded and granted execution privileges |
Download and Allow Execution |
|
The file /root/.ttp/a/upd was downloaded and granted execution privileges |
Download and Allow Execution |
|
The file /root/.ttp/a/dir.dir was downloaded and granted execution privileges |
Download and Allow Execution |
|
The file /tmp/.mountfs/.rsync/c/aptitude was downloaded and granted execution privileges |
Download and Allow Execution |
|
The file /tmp/.mountfs/.rsync/c/n was downloaded and granted execution privileges |
Download and Allow Execution |
|
The file /root/.ttp/b/sync was downloaded and granted execution privileges |
Download and Allow Execution |
|
The file /root/.ttp/a/crond64 was downloaded and executed 8 times |
Download and Execute |
|
Process /root/.ttp/a/crond64 generated outgoing network traffic to: 107.191.99.221:80 |
Outgoing Connection |
|
Process /usr/bin/wget generated outgoing network traffic to: 141.85.241.113:80 |
Outgoing Connection |
|
/tmp/.mountfs/.rsync/c/xtr was downloaded |
Download File |
|
Process /usr/bin/wget generated outgoing network traffic to: 213.32.91.37:80 2 times |
Outgoing Connection |
|
Process /usr/bin/wget attempted to access suspicious domains: ip-213-32-91.eu 2 times |
Access Suspicious Domain Outgoing Connection |
|
/tmp/.mountfs/.rsync/c/ip was downloaded |
Download File |
|
/tmp/.mountfs/.rsync/c/p was downloaded |
Download File |
|
The file /tmp/.mountfs/.rsync/c/lib/64/tsm was downloaded and executed 126 times |
Download and Execute |
|
Process /tmp/.mountfs/.rsync/c/lib/64/tsm generated outgoing network traffic to: 101.251.112.62:22, 103.108.140.192:22, 103.245.167.108:22, 108.179.224.123:22, 108.187.42.36:22, 111.235.138.237:22, 119.133.86.72:22, 123.60.213.6:22, 128.97.31.233:22, 129.49.76.86:22, 13.208.113.231:22, 13.230.185.124:22, 13.57.214.60:22, 130.193.85.74:22, 138.91.121.250:22, 139.162.141.114:22, 140.82.19.78:22, 142.11.229.130:22, 142.252.4.234:22, 142.93.40.42:22, 143.191.128.188:22, 143.191.38.8:22, 148.247.182.96:22, 149.56.175.44:22, 154.214.97.37:22, 157.7.166.191:22, 158.85.185.245:22, 159.65.0.77:22, 162.212.171.88:22, 167.114.133.84:22, 172.93.156.201:22, 173.201.82.40:22, 178.62.238.41:22, 18.191.247.100:22, 18.236.172.192:22, 184.173.18.107:22, 188.125.19.222:22, 188.166.107.203:22, 188.218.14.184:22, 192.207.12.62:22, 192.52.242.52:22, 192.81.218.17:22, 195.68.11.79:22, 198.199.101.24:22, 206.189.214.189:22, 209.59.189.53:22, 209.97.176.169:22, 213.32.27.118:22, 216.129.207.150:22, 23.102.224.63:22, 34.229.76.175:22, 34.76.141.48:22, 35.156.180.69:22, 35.160.189.37:22, 35.190.210.181:22, 35.199.118.90:22, 35.204.114.160:22, 35.222.239.43:22, 35.228.99.26:22, 35.230.182.44:22, 37.187.107.171:22, 45.32.107.153:22, 5.148.171.160:22, 5.63.153.92:22, 50.62.50.211:22, 50.62.71.136:22, 50.87.108.118:22, 51.136.25.157:22, 51.15.245.23:22, 52.166.106.52:22, 52.18.211.220:22, 52.2.176.140:22, 52.221.190.190:22, 52.224.234.75:22, 52.246.182.124:22, 52.41.64.212:22, 52.76.112.9:22, 54.179.165.107:22, 63.209.33.189:22, 64.30.133.1:22, 68.183.213.231:22, 74.208.95.150:22, 74.50.48.131:22, 76.80.103.78:22, 77.222.54.249:22, 80.78.255.42:22, 80.86.30.41:22, 82.118.17.127:22, 82.165.181.79:22, 87.106.238.143:22, 88.212.128.49:22, 88.212.253.51:22, 88.99.173.227:22, 88.99.239.241:22 and 93.170.129.186:22 |
|
|
Process /tmp/.mountfs/.rsync/c/lib/64/tsm scanned port 22 on 95 IP Addresses |
Port 22 Scan |
|
Connection was closed due to timeout |
|
|
Process /bin/tar performed bulk changes in {/} on 55 files |
Bulk Files Tampering |
Associated Files
|
/var/tmp/x/haiduc.filepart |
SHA256: 6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4 |
1040592 bytes |
|
/usr/local/bin/srsync.sh |
SHA256: c9bd0154342a966efc86fb700a844e596c1daaa6d7a44e73da8553edb1887a5a |
109 bytes |
|
/usr/local/bin/srsync.sh |
SHA256: 3c475448c2405b6a4608993cb513d2914da6453b86281fd526b8ea2e9e5ae089 |
72 bytes |
|
/tmp/vps |
SHA256: d4acf9dcdcb6e3678820f1c8435a58a9a996a156ccbf55155ed57a1e0cceff2e |
35168 bytes |
|
/tmp/.X15-unix/.rsync/a/cron |
SHA256: 4efec3c7b33fd857bf8ef38e767ac203167d842fdecbeee29e30e044f7c6e33d |
1666120 bytes |
|
/tmp/.X15-unix/dota2.tar.gz |
SHA256: 45d985035e68d09deeea137ecd75ac1622e35202f411c5d0b5d51d9ee42b2a84 |
2612902 bytes |
|
/tmp/.x15cache |
SHA256: 3973940fd949ccb944d8ff160a7c7d08aa5d3f4eadd67a0e5d41fe0bffebb469 |
308 bytes |
|
/tmp/.X15-unix/dota2.tar.gz |
SHA256: 86ab0b3a7f7a8ff5a40199289b975a91a58d2c0b1d0893cf8d8e6923b17039ee |
2607517 bytes |
|
/tmp/.X15-unix/dota2.tar.gz |
SHA256: da2ecb3d16c554c2bdec2b61ffbec6bfa460ef1697407e62fd427d936a33e5e9 |
2613049 bytes |
|
/tmp/lan.sh |
SHA256: 75f5d5c5fc34ce708d91ccecb0aed9013975c143d15b4e9e6a7d15e2f0e28dc3 |
530 bytes |
|
/tmp/.mountfs/dota.tar.gz |
SHA256: 57e4a624fa138786ec9d36849a981955b2c35afa1d796eb9653f3ba4f4194332 |
103315 bytes |
|
/tmp/.sparky/sslm.tar.gz |
SHA256: 0fbb306f4ee08dd47c67103cb3b885e8fee6a34edc181fe15282dafc37a4e8fe |
1019755 bytes |
|
/tmp/.sparky/sslm.tar.gz |
SHA256: 8bb3bbf7bc963ab9c451bd14ef68e74263d8f61d40a14c57bc85463dcdb15a69 |
1019183 bytes |
|
/tmp/.sparky/sslm.tar.gz |
SHA256: f4a32c4649d114007b3f7f652e29fa1207737cf5da3dbf58323700569d436e2b |
314468 bytes |
|
/tmp/.sparky/sslm.tar.gz |
SHA256: f031edb4f7b6284654c44141b32901a23aae250b33d3f1b9774ed46ee860a743 |
784580 bytes |
|
/tmp/.mountfs/dota.tar.gz |
SHA256: 7e28211d313bd9ba00956f09733c71783173c26e1b4e99708dff7138b9fced2a |
58161 bytes |
|
/tmp/.X15-unix/dota2.tar.gz |
SHA256: c8cae37e3320a1c1f3079fa6d13b62e03156bb17a1a054e3a6d8509c815e8c3b |
2612929 bytes |
|
/tmp/clean |
SHA256: cff87d580362f883610cd60d124563cb6ddec218d432c9c2d5f2e3d074ae94a2 |
1972 bytes |
|
/tmp/tddwrt7s.sh |
SHA256: 5a877e5bf198fb6278816547f884c599db4b190f263b290253f4f38e3bbaf0d9 |
1230 bytes |
|
/tmp/.mountfs/dota.tar.gz |
SHA256: 6327cb08da53cce60756c841db87625d123862b8498023bf6279a6ab29179cd9 |
7672005 bytes |
|
/tmp/.mountfs/dota.tar.gz |
SHA256: 278ad6cce8bb90ab1933cfecb3006f8c54e555b4c19e57a6ea3e5765d5994b18 |
103315 bytes |
|
/tmp/.mountfs/dota.tar.gz |
SHA256: 8f81ce25374a75e3ca8c743229e39608f4a6385401e60b431614c1d669cc9e92 |
7543447 bytes |
|
/root/.ttp/a/upd |
SHA256: 106d07d81e1feb3619cc41a73b51b7dfacae39669bfb1c041de44596ea887168 |
172 bytes |
|
/tmp/.mountfs/.rsync/c/aptitude |
SHA256: 2fd75ca04ac5a3691a79cc505c279bf4fed8cd576f88689565243011dcf87a36 |
54 bytes |
|
/root/.ttp/a/crond64 |
SHA256: e8974dfbf0502f0091d9c05b4e0d91b7c769f6a4a1a412edeb2869badb5d79a8 |
2757656 bytes |
|
/tmp/rsync |
SHA256: 26ff0e06768d296e775675970cbe736b179d65b10e61c20103418b68b4232698 |
40490 bytes |