IP Address: 59.173.183.223Previously Malicious
IP Address: 59.173.183.223Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
3.201.125.165 14.176.13.127 18.212.180.57 29.158.32.141 42.133.199.149 49.134.134.109 50.122.189.12 54.206.105.49 58.179.192.173 82.156.179.219 91.170.44.79 93.170.92.42 103.80.181.231 116.225.43.137 119.91.140.230 121.5.146.101 124.222.158.101 139.222.144.106 156.159.217.70 156.183.162.84 160.57.22.225 180.164.62.215 196.35.94.37 200.87.24.166 223.12.82.145 |
IP Address |
59.173.183.223 |
|
Domain |
- |
|
ISP |
China Telecom |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-14 |
Last seen in Akamai Guardicore Segmentation |
2022-04-21 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 100.146.178.64:80, 100.146.178.64:8080, 101.68.24.6:80, 101.68.24.6:8080, 102.46.75.72:80, 102.46.75.72:8080, 103.80.181.231:2222, 110.240.175.178:80, 110.240.175.178:8080, 113.124.190.86:80, 113.124.190.86:8080, 116.225.43.137:1234, 116.73.39.57:80, 116.73.39.57:8080, 117.159.61.175:80, 117.159.61.175:8080, 118.195.54.123:80, 118.195.54.123:8080, 119.233.188.191:80, 119.233.188.191:8080, 119.91.140.230:1234, 121.5.146.101:1234, 124.222.158.101:1234, 125.249.95.32:80, 125.249.95.32:8080, 126.168.36.108:80, 126.168.36.108:8080, 131.12.129.127:80, 131.12.129.127:8080, 133.210.229.139:80, 133.210.229.139:8080, 139.222.144.106:2222, 139.38.164.101:80, 139.38.164.101:8080, 14.176.13.127:22, 145.65.216.233:80, 145.65.216.233:8080, 154.107.241.42:80, 154.107.241.42:8080, 154.155.77.226:80, 154.155.77.226:8080, 156.159.217.70:22, 156.183.162.84:22, 16.209.182.62:80, 16.209.182.62:8080, 160.57.22.225:22, 164.103.105.48:80, 164.103.105.48:8080, 18.212.180.57:1234, 180.164.62.215:1234, 185.86.144.62:80, 185.86.144.62:8080, 196.35.94.37:2222, 200.87.24.166:22, 219.235.34.224:80, 219.235.34.224:8080, 223.119.11.210:80, 223.119.11.210:8080, 223.12.82.145:22, 249.20.15.245:80, 249.20.15.245:8080, 253.180.113.12:80, 253.180.113.12:8080, 27.191.97.91:80, 27.191.97.91:8080, 29.158.32.141:2222, 3.201.125.165:2222, 31.82.1.22:80, 31.82.1.22:8080, 33.214.253.55:80, 33.214.253.55:8080, 35.203.244.3:80, 35.203.244.3:8080, 42.133.199.149:22, 49.134.134.109:2222, 50.122.189.12:2222, 50.13.41.88:80, 50.13.41.88:8080, 54.206.105.49:2222, 58.179.192.173:22, 78.141.137.80:80, 78.141.137.80:8080, 82.156.179.219:1234, 86.166.155.100:80, 86.166.155.100:8080, 91.170.44.79:2222, 95.88.222.233:80 and 95.88.222.233:8080 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8081 and 8183 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: dodo.net.au, emtagas.com.bo and proxad.net |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|