IP Address: 64.92.65.152Previously Malicious
IP Address: 64.92.65.152Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Download and Execute Access Suspicious Domain Outgoing Connection Listening Download and Allow Execution |
Associated Attack Servers |
1.15.13.216 2.218.167.65 20.195.231.146 24.101.57.13 28.32.70.87 37.82.111.241 41.228.22.107 50.7.86.202 51.74.147.40 54.126.182.157 101.213.11.242 106.12.86.205 121.195.218.72 122.167.97.228 124.71.122.47 124.222.141.43 170.222.1.167 179.228.164.96 190.195.113.218 191.249.236.85 192.130.34.67 245.182.47.29 252.5.153.207 |
IP Address |
64.92.65.152 |
|
Domain |
- |
|
ISP |
SinglePipe LLC |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-03 |
Last seen in Akamai Guardicore Segmentation |
2022-04-04 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 20 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 1.15.13.216:1234, 101.213.11.242:22, 104.21.25.86:443, 104.241.115.243:80, 104.241.115.243:8080, 121.195.218.72:2222, 122.167.97.228:22, 124.222.141.43:1234, 124.71.122.47:22, 124.77.184.15:80, 124.77.184.15:8080, 13.105.215.67:80, 13.105.215.67:8080, 13.38.235.107:80, 13.38.235.107:8080, 131.165.87.72:80, 131.165.87.72:8080, 144.203.114.211:80, 144.203.114.211:8080, 145.22.150.97:80, 145.22.150.97:8080, 149.145.160.228:80, 149.145.160.228:8080, 169.215.173.167:80, 169.215.173.167:8080, 170.222.1.167:2222, 172.143.25.79:80, 172.143.25.79:8080, 172.67.133.228:443, 179.228.164.96:2222, 190.195.113.218:2222, 191.249.236.85:1234, 192.130.34.67:22, 199.133.230.168:80, 199.133.230.168:8080, 199.212.55.32:80, 199.212.55.32:8080, 2.218.167.65:22, 20.143.101.25:80, 20.143.101.25:8080, 20.195.231.146:1234, 209.188.239.216:80, 209.188.239.216:8080, 211.60.223.144:80, 211.60.223.144:8080, 214.94.114.207:80, 214.94.114.207:8080, 218.192.89.37:80, 218.192.89.37:8080, 24.101.57.13:1234, 245.182.47.29:2222, 249.188.1.84:80, 249.188.1.84:8080, 252.5.153.207:22, 27.54.170.52:1234, 28.11.14.145:80, 28.11.14.145:8080, 28.32.70.87:2222, 29.20.218.211:80, 29.20.218.211:8080, 30.215.11.66:80, 30.215.11.66:8080, 31.29.46.241:80, 31.29.46.241:8080, 33.80.11.144:80, 33.80.11.144:8080, 36.179.7.20:80, 36.179.7.20:8080, 37.82.111.241:2222, 42.108.6.114:80, 42.108.6.114:8080, 5.143.140.74:80, 5.143.140.74:8080, 50.7.86.202:1234, 51.74.147.40:22, 51.75.146.174:443, 54.126.182.157:2222, 69.47.60.23:80, 69.47.60.23:8080, 71.79.48.27:80, 71.79.48.27:8080, 78.21.78.98:80, 78.21.78.98:8080, 8.79.75.109:80, 8.79.75.109:8080, 81.124.191.223:80, 81.124.191.223:8080, 88.209.216.163:80 and 88.209.216.163:8080 |
Outgoing Connection |
Process /tmp/ifconfig attempted to access suspicious domains: airtelbroadband.in, gvt.net.br, hwclouds-dns.com, prima.net.ar, vivozap.com.br and zoominternet.net |
Access Suspicious Domain Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8082 and 8181 |
Listening |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Connection was closed due to user inactivity |
|