IP Address: 61.238.68.6Previously Malicious
IP Address: 61.238.68.6Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Executable File Modification Successful SSH Login SSH Brute Force Outgoing Connection Download and Execute SSH New SSH Key Access Suspicious Domain |
Associated Attack Servers |
hichina.com hybs-pro.net ident.me inet.co.th ip-164-132-50.eu orange-business.com 14.157.116.231 14.157.119.189 18.223.30.27 23.221.72.161 34.117.59.81 39.108.215.9 42.192.132.110 42.194.136.16 42.194.136.96 47.98.152.150 47.98.237.159 49.12.234.183 49.235.26.143 52.255.134.40 54.196.211.253 57.100.67.147 81.68.117.137 101.226.197.196 103.27.42.10 103.27.42.77 103.47.242.247 104.18.115.97 106.53.194.115 107.170.192.159 110.249.166.66 111.67.197.174 111.229.197.89 111.231.94.142 115.124.99.133 |
IP Address |
61.238.68.6 |
|
Domain |
- |
|
ISP |
Hong Kong Broadband Network |
|
Country |
Hong Kong |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-05-12 |
Last seen in Akamai Guardicore Segmentation |
2022-05-22 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ******** - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
Executable file /usr/bin/vzgbhw was modified 9 times |
Executable File Modification |
The file /usr/bin/vzgbhw was downloaded and executed 39 times |
Download and Execute |
Process /usr/bin/vzgbhw generated outgoing network traffic to: 1.1.1.1:53, 101.226.197.196:38531, 103.27.42.10:60760, 103.27.42.77:55418, 103.47.242.247:45260, 104.18.115.97:80, 106.53.194.115:38739, 107.170.192.159:34729, 107.170.192.159:8000, 110.249.166.66:57924, 111.229.197.89:38017, 111.231.94.142:40986, 111.67.197.174:40416, 115.124.99.133:39813, 118.144.137.141:33601, 120.238.246.181:40425, 120.55.165.126:51190, 120.77.80.111:46476, 122.51.138.192:45021, 122.51.17.42:40989, 124.113.176.5:53534, 132.232.40.86:38003, 139.162.127.223:45499, 139.224.117.63:35199, 14.157.116.231:1458, 14.157.119.189:1458, 140.143.59.146:46877, 164.132.50.60:35731, 18.223.30.27:32849, 182.43.41.220:42101, 182.75.115.93:43327, 203.150.95.65:33297, 208.67.222.222:443, 210.73.207.46:49558, 218.244.130.78:60848, 219.141.184.182:49287, 222.128.24.203:40979, 23.221.72.161:80, 34.117.59.81:80, 39.108.215.9:40315, 42.192.132.110:27634, 42.194.136.16:35756, 42.194.136.96:35463, 47.98.152.150:42130, 47.98.237.159:45657, 49.12.234.183:80, 49.235.26.143:43796, 52.255.134.40:38052, 54.196.211.253:80, 57.100.67.147:42705 and 81.68.117.137:39592 |
Outgoing Connection |
Process /usr/bin/vzgbhw attempted to access suspicious domains: 182-airtel.com, bjtelecom.net, googleusercontent.com, hichina.com, hybs-pro.net, ident.me, inet.co.th, ip-164-132-50.eu and targetcampus.com |
Access Suspicious Domain Outgoing Connection |
The file /usr/bin/chattr was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made 25 times |
New SSH Key |
/usr/local/bin/qkglvy |
SHA256: 5e9eed61745f9cab83471787ec9610b722c950ac5bc185fd152327eb068e7ed9 |
3180796 bytes |