Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 66.228.28.18Previously Malicious

IP Address: 66.228.28.18Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

SCP SSH

Tags

Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution

Associated Attack Servers

146.in-addr.arpa 1blu.de a1.net ae2am1.shop aerlink.fr aeza.network airtel.cd airtel.in alter.net as20676.net btcentralplus.com burlingtontelecom.net centurylink.net cultimording.org.uk easynet.co.uk ertelecom.ru fetnet.net fortinettelecom.com.br griffin.net.uk gvt.net.br innovatelekom.com mchsi.com mycingular.net ntust.edu.tw nuvox.net pkje32x1.cn prod-dial.com.mx qwest.net sileman.net.pl spcsdns.net

1.13.18.11 1.15.13.216 1.79.85.213 1.116.42.111 1.164.217.126 1.184.43.43 2.140.141.158 2.189.252.225 3.132.68.243 3.133.124.243 3.137.191.126 4.34.57.102 4.154.48.42 4.156.12.246 5.18.57.57 5.90.127.54 5.161.42.72 6.31.110.246 9.166.39.182 9.218.20.229 11.15.126.125 11.134.183.25 12.23.46.220 12.105.127.107 13.3.120.195 14.35.205.157 14.74.174.127 15.29.162.233 15.31.73.191 15.56.129.196

Basic Information

IP Address

66.228.28.18

Domain

-

ISP

Gorge Networks

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2022-03-06

Last seen in Akamai Guardicore Segmentation

2022-04-08

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List

Successful SSH Login

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password

Successful SSH Login

A possibly malicious Superuser Operation was detected 2 times

Superuser Operation

The file /tmp/ifconfig was downloaded and executed 6 times

Download and Execute

Process /tmp/apache2 scanned port 22 on 13 IP Addresses

Port 22 Scan Port 80 Scan Port 8080 Scan

Process /tmp/apache2 scanned port 22 on 32 IP Addresses 2 times

Port 22 Scan Port 80 Scan Port 8080 Scan

Process /tmp/apache2 scanned port 80 on 13 IP Addresses

Port 22 Scan Port 80 Scan Port 8080 Scan

Process /tmp/apache2 scanned port 8080 on 13 IP Addresses

Port 22 Scan Port 80 Scan Port 8080 Scan

The file /tmp/apache2 was downloaded and executed 183 times

Download and Execute

Process /tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.43.150.232:1234, 104.21.25.86:443, 107.175.215.247:1234, 107.70.165.238:80, 107.70.165.238:8080, 107.92.30.15:80, 107.92.30.15:8080, 11.173.153.74:80, 11.173.153.74:8080, 120.197.154.22:1234, 126.107.184.218:22, 128.54.206.1:22, 13.44.8.222:80, 13.44.8.222:8080, 130.150.149.127:80, 130.150.149.127:8080, 130.204.212.9:22, 131.117.187.87:80, 131.117.187.87:8080, 139.209.222.134:1234, 142.250.190.4:443, 146.211.177.74:22, 147.117.140.106:80, 147.117.140.106:8080, 164.172.132.38:80, 164.172.132.38:8080, 165.19.152.28:80, 165.19.152.28:8080, 167.23.87.32:80, 167.23.87.32:8080, 178.41.80.165:80, 178.41.80.165:8080, 183.127.183.235:80, 183.127.183.235:8080, 187.217.144.250:22, 189.16.201.249:80, 189.16.201.249:8080, 190.215.222.2:80, 190.215.222.2:8080, 199.18.92.100:80, 199.18.92.100:8080, 199.65.184.57:80, 199.65.184.57:8080, 201.85.194.160:80, 201.85.194.160:8080, 21.79.13.230:80, 21.79.13.230:8080, 210.99.20.194:1234, 212.186.229.39:80, 212.186.229.39:8080, 222.67.63.13:80, 222.67.63.13:8080, 23.222.11.66:2222, 243.208.109.4:80, 243.208.109.4:8080, 250.159.39.127:80, 250.159.39.127:8080, 3.118.68.73:22, 32.3.211.143:80, 32.3.211.143:8080, 38.47.195.94:22, 42.14.149.129:80, 42.14.149.129:8080, 42.231.63.152:1234, 46.118.139.151:80, 46.118.139.151:8080, 47.175.249.156:22, 48.100.162.86:80, 48.100.162.86:8080, 51.75.146.174:443, 52.6.130.85:22, 58.2.120.60:80, 58.2.120.60:8080, 61.113.3.194:80, 61.113.3.194:8080, 61.248.193.97:80, 61.248.193.97:8080, 62.23.126.34:80, 62.23.126.34:8080, 65.147.12.138:80, 65.147.12.138:8080, 71.251.137.106:2222, 77.66.47.235:22, 79.204.115.115:22, 82.194.3.95:22, 86.107.187.239:1234, 89.41.168.62:80 and 89.41.168.62:8080

Outgoing Connection

Process /tmp/apache2 started listening on ports: 1234, 8087 and 8186

Listening

Process /tmp/apache2 scanned port 80 on 32 IP Addresses 2 times

Port 22 Scan Port 80 Scan Port 8080 Scan

Process /tmp/apache2 scanned port 8080 on 32 IP Addresses 2 times

Port 22 Scan Port 80 Scan Port 8080 Scan

Process /tmp/apache2 attempted to access suspicious domains: adsl, jlccptt.net.cn and trined.nl

Access Suspicious Domain Outgoing Connection

The file /usr/bin/uptime was downloaded and executed

Download and Execute

The file /tmp/php-fpm was downloaded and executed 22 times

Download and Execute

The file /tmp/php-fpm was downloaded and executed 25 times

Download and Execute

The file /tmp/php-fpm was downloaded and executed 7 times

Download and Execute

Connection was closed due to timeout