IP Address: 62.43.142.114Previously Malicious
Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network
IP Address:
62.43.142.114
Previously Malicious
This IP address attempted an attack on a machine protected by Guardicore Centra
IP Address |
62.43.142.114 |
|
Domain |
- |
|
ISP |
Vodafone Spain |
|
Country |
Spain |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Guardicore Centra |
2018-04-25 |
Last seen in Guardicore Centra |
2018-09-16 |
What is Guardicore CentraGuardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: mysql / ****** - Authentication policy: White List (Part of a Brute Force Attempt) |
Successful SSH Login SSH Brute Force |
Process /usr/bin/wget attempted to access domains: cybernetik.000webhostapp.com |
DNS Query |
Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.119:80 |
Outgoing Connection |
/home/mysql/cyberinfo was downloaded |
Download File |
Process /usr/bin/wget attempted to access suspicious domains: nasapaul.com |
Access Suspicious Domain Outgoing Connection DNS Query |
Process /usr/bin/wget generated outgoing network traffic to: 185.61.137.36:80 |
Outgoing Connection |
/home/mysql/groot.zip was downloaded |
Download File |
The file /home/mysql/groot/1 was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/2 was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/3 was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/anti-blackdor.anti was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/bios.txt was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/clean was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/cleanlist was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/dup.txt was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/eof.txt was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/go was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/mfu.txt was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/motd was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/pass_file was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/random was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/screen was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/vuln.txt was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/groot/vuln1.txt was downloaded and granted execution privileges |
Download and Allow Execution |
Log File Tampering detected from /bin/bash on the following logs: /var/log/apt/apt.log, /var/log/auth.log, /var/log/faillog, /var/log/fsck/checkfs, /var/log/syslog, /var/log/fsck, /var/log/dpkg.log, /var/log/ntpstats, /var/log/apt/term.log, /var/log/apt/history.log, /var/log/alternatives.log, /var/log/kern.log, /var/log/btmp, /var/log/fsck/checkroot, /var/log/lastlog, /var/log/wtmp, /var/log/bootstrap.log, /var/log/apt and /var/log/dmesg |
Log Tampering |
History File Tampering detected from /bin/bash on the following logs: /root/.bash_history |
Log Tampering |
The file /home/mysql/groot/class was downloaded and executed |
Download and Execute |
The file /home/mysql/groot/update was downloaded and executed |
Download and Execute |
A user logged in using SSH with the following credentials: mysql / ****** - Authentication policy: Correct Password (Part of a Brute Force Attempt) 2 times |
Successful SSH Login SSH Brute Force |
Process /usr/bin/wget attempted to access domains: tes2018.hi2.ro |
DNS Query |
Process /usr/bin/wget generated outgoing network traffic to: 89.42.39.81:80 |
Outgoing Connection |
/home/mysql/arhiva.zip was downloaded |
Download File |
The file /home/mysql/arhiva/a was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/arhiva/gasite.txt was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/arhiva/haiduc was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/arhiva/pass was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/arhiva/scan.log was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/arhiva/screen was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/arhiva/screen.jpg was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/arhiva/start was downloaded and granted execution privileges |
Download and Allow Execution |
The file /home/mysql/arhiva/udp.pl was downloaded and granted execution privileges |
Download and Allow Execution |
Connection was closed due to timeout |
|
/home/mysql/groot/screen was identified as malicious by YARA according to rules: Maldoc Somerules and Toolkit Thor Hacktools |
Malicious File |
/home/mysql/arhiva/start was identified as malicious by YARA according to rules: Toolkit Thor Hacktools |
Malicious File |
/home/mysql/arhiva/screen was identified as malicious by YARA according to rules: Maldoc Somerules and Toolkit Thor Hacktools |
Malicious File |
/home/mysql/groot/update was identified as malicious by YARA according to rules: Malw Miscelanea Linux, Maldoc Somerules and Crypto Signatures |
Malicious File |
/home/mysql/arhiva/haiduc was identified as malicious by YARA according to rules: Crypto Signatures and Malw Pe Sections |
Malicious File |
/home/mysql/groot/class was identified as malicious by YARA according to rules: Maldoc Somerules and Suspicious Strings |
Malicious File |
/v.py |
SHA256: 00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc |
25470 bytes |
/var/tmp/x/haiduc.filepart |
SHA256: 6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4 |
1040592 bytes |
/root/silecyber.zip.1 |
SHA256: 48b5e465295da9fcf3732d292962db5c3219ad6a1cae190f14c7da0e9f14db32 |
1180220 bytes |
/var/tmp/zone/screen.filepart |
SHA256: 2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80 |
249980 bytes |
/var/tmp/ /.zlib/fever |
SHA256: 97093a1ef729cb954b2a63d7ccc304b18d0243e2a77d87bbbb94741a0290d762 |
453972 bytes |
/var/tmp/ninfo |
SHA256: 19778a62055770a9e5f890e52227ccd39251bf23045c15383411638540ceabf7 |
2941 bytes |
/var/tmp/.x/Nasa/n |
SHA256: 046a09f66630f581d6eaeb734f775f41f1e46238ffe369f6905464fed1531afd |
1959 bytes |
/var/tmp/.x/Nasa/nhdd |
SHA256: 43333adf6ba7d876d5574543278616dad40376b1024a01d0f48c04b0ca5f7534 |
1485768 bytes |
/var/tmp/.x/Nasa/pscan2 |
SHA256: 291cf164abfff4269e84209fe0763bb3295f7fad9d265c6354b8d4494ac5410f |
14012 bytes |
/var/tmp/scan/pscan2.cfi |
SHA256: 1a286986ebbe66abbedcc76ae4e2fd23c2668b076cd9dc79bf53c24961041ab8 |
6027 bytes |
/var/tmp/zone/speedtestvps.py |
SHA256: 02cd63a2e9d2cd538ca5230380ad3668b967955f193ec1090b275baa55315680 |
25312 bytes |
/var/tmp/.x/Nasa.zip |
SHA256: dbf70633cde2587ec3cc8c3379c9f4e9af3664ca61cb0fcd58b40288643b304f |
821131 bytes |
/var/tmp/groot.zip |
SHA256: 575a17bac99ab4077e2c9bcd01fbc14953827377972e414f669bfa8dbc030bae |
724193 bytes |
/var/tmp/gosh/1 |
SHA256: 246fcc88606c73771e9ccfed22be1ee97636f65156b1076db2e506e16e732db3 |
189 bytes |
/root/arhiva/a |
SHA256: a9100f7e4e1cab442cb800c52462ea4353b2c931e455209281da655bf180dc47 |
711 bytes |
/tmp/bins.sh |
SHA256: e332040055ce7e38935e1eea7fb5ccdd6f6f7e41a6d9cdc7eb4d02aee576e206 |
3078 bytes |
/tmp/ntpd |
SHA256: 8c92c21ac2d21f9a924113d17aa5727594439625ddd85be2442cdfcc5e8d637b |
119167 bytes |
/tmp/sshd |
SHA256: 6e5ff6dab882a85d25350a7ff84526210c10acebaeb35f261d7ef16d72677288 |
119167 bytes |
/tmp/openssh |
SHA256: 8052af4959aa6909373be403841ad98cb7ca6272a13eabc8f1dc02fea0e128b8 |
82844 bytes |
/tmp/tftp |
SHA256: f0700b9a50e4b8ce1610be4d545b9ddc0cf237c4a028268fb0370c986951f137 |
117425 bytes |
/var/tmp/.sal/cyberinfo |
SHA256: b600e5f6a9071463e8c698a13860d23c04e8716279dd06fc29ce58459d618709 |
2117 bytes |
/var/tmp/.sal/ninfo |
SHA256: 84eada15f75e523cb7da2e92a76eb0cfa595579f1248fb1bb2120138aa3dd979 |
4315 bytes |
/var/tmp/gosh/random |
SHA256: 6d8ffb2449a2e56d63c23e66aa367bd3a610adf96b288dfc8e52bffda15751af |
184 bytes |
/.sal/groot/go~ |
SHA256: 41c3ee93f8d79479d09ab1771be47ef4eac2a0829fc2d4f2d97320de509b9b84 |
815 bytes |
/var/tmp/gosh/2 |
SHA256: 42237dd0eeacbddd1e07df21cd437cdf9c1b0282ac7b565d51589e57b39bffd1 |
119 bytes |
/var/tmp/gosh/update.filepart |
SHA256: 8dfe94a1b02d1330886ad4458b32db3da4b872f9c2116657840de499fee5438a |
842736 bytes |
/var/tmp/gosh/3 |
SHA256: c2c5e4a271f8af56df3c091397e9db498f48434001e3d8b7e63cadd902e5adc9 |
187 bytes |
/var/tmp/gosh/anti-blackdor.anti |
SHA256: ff2d1dfec0d7f40d0045942cceda733184cbaf57fcf3e251c2e52b231ec4cefe |
12780 bytes |
/root/xad.zip |
SHA256: c50e0eac44c3333a685d98ab72055a11cd4cc9eb636fac0c271f841568a4f5f5 |
513521 bytes |
/var/tmp/ninfo |
SHA256: 0eaa11e51d3188cb66e0db4b977001979973d81628af0f7187b79971dc533713 |
2940 bytes |
IP Address: 62.43.142.114Previously Malicious