IP Address: 54.38.219.156Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
54.38.219.156​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HTTP SSH

Tags

Download and Execute Inbound HTTP Request HTTP Outgoing Connection Access Suspicious Domain Download File IDS - Web Application Attack Download and Allow Execution

Associated Attack Servers

hukot.net melbi.space

46.36.39.104 213.183.45.187 52.173.196.248

Basic Information

IP Address

54.38.219.156

Domain

-

ISP

OVH SAS

Country

France

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-05-06

Last seen in Guardicore Centra

2019-07-10

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 46.36.39.104:80 7 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: hukot.net 7 times

Access Suspicious Domain Outgoing Connection

The file /tmp/bins.sh was downloaded and granted execution privileges

Download and Allow Execution

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/ntpd was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/sshd was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/openssh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/bash was downloaded and executed 2 times

Download and Execute

The file /tmp/tftp was downloaded and granted execution privileges

Download and Allow Execution

Process /tmp/wget generated outgoing network traffic to: 46.36.39.104:1990

Outgoing Connection

Process /tmp/wget attempted to access suspicious domains: hukot.net

Access Suspicious Domain Outgoing Connection

The file /tmp/wget was downloaded and executed 3 times

Download and Execute

Process /usr/bin/wget generated outgoing network traffic to: 46.36.39.104:80 7 times

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: hukot.net 7 times

Access Suspicious Domain Outgoing Connection

The file /tmp/cron was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/ftp was downloaded and executed 2 times

Download and Execute

The file /tmp/pftp was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/sh was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/nut was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/apache2 was downloaded and granted execution privileges

Download and Allow Execution

Connection was closed due to timeout

Associated Files

/tmp/bins.sh

SHA256: 563abaf4c69b2e34d7b260b670337f5dfec10e3e973bdda49b525c58bb6f7e0b

2052 bytes

/tmp/ntpd

SHA256: e7fb590b1a6c24a3e13ef5840ea6256692473d0c7d5e2a36b44e09352d6a8773

168540 bytes

/tmp/sshd

SHA256: b54f71079f8c1a78274f69c69b94f39b8d8012aa7b967681e4fee4a414651d9b

168668 bytes

/tmp/openssh

SHA256: 57726078d13f6800d12752f0941918c7be2401d515bc4ebe6f4b976f016e5905

117486 bytes

/tmp/bash

SHA256: 1cc4bcc63dba2ca8ae368a4099b076c86721dbb61e8de13ef8e35377552aeb00

123572 bytes

/tmp/tftp

SHA256: 3062b7a8c332732a430461db76cd3e805c7e8f65dbb2c6710bc648a4340941cf

152482 bytes

/tmp/wget

SHA256: 8a40a1e2787a3ce228a0cfcbeb524eafbe7d78726e63121512f977b1c584f539

112337 bytes

/tmp/cron

SHA256: 91cd0cabea7efd1562949b7269d333e84a127e3d77f2e0bcaca3d9713333786a

132862 bytes

/tmp/ftp

SHA256: 8fb0ec2882bb9cbbba02e63e8946236529f534117060fd79b4b5543deda4ca0d

108241 bytes

/tmp/pftp

SHA256: df6974ba04177c013a891d366ab81960c52b1f08ab29f67ee2be70fda0d24d2c

129672 bytes

/tmp/sh

SHA256: 34ecf472187dc833a8c847b0da91639741b64bf7a7c7be1e0374638ed638c456

142963 bytes

/tmp/nut

SHA256: 290c432e5b1803b86a7fa41386228d72e1d0d76fa7620746e367e522567e9282

137958 bytes

/tmp/apache2

SHA256: 126bbfaf741a9455bf28e26f29011dcb716e886623e600b418cd4b5b02d84789

133340 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 54.38.219.156​Previously Malicious