IP Address: 78.96.81.132Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
78.96.81.132​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

HTTP 29 Shell Commands DNS Query Human Superuser Operation Download File Port 80 Scan Download Operation Bulk Files Tampering Malicious File Access Suspicious Domain Package Install SSH Successful SSH Login

Connect Back Servers

minergate.com _http._tcp.archive.ubuntu.com download-endpoint.minergate.com www.speedtest.net c0ol3r.000webhostapp.com _http._tcp.security.ubuntu.com canonical.com stosat-rstn-01.sys.comcast.net s1.speedtest.wdc1.us.leaseweb.net security.ubuntu.com shentel.net download.minergate.com stosat-malt-01.sys.comcast.net xmr.pool.minergate.com edinburg.speedtest.shentel.net bigdaddy.wave2net.com archive.ubuntu.com rest.minergate.com comcast.net your-server.de

69.241.0.94 88.99.142.163 91.189.88.161 46.4.119.208 204.111.5.18 91.189.88.152 151.101.2.219 69.241.87.90 94.130.143.162 136.243.102.154 207.244.94.68 145.14.144.198 136.243.102.157 136.243.102.167 91.189.91.26 204.111.21.7 176.9.8.174

Basic Information

IP Address

78.96.81.132

Domain

-

ISP

UPC ROMANIA

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-07-01

Last seen in Guardicore Centra

2018-07-06

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 3 times

Package Install Download Operation Superuser Operation

Process /usr/bin/wget attempted to access domains: c0ol3r.000webhostapp.com 2 times

DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.152:80

Process /usr/bin/python2.7 scanned port 80 on 12 IP Addresses

Port 80 Scan

Process /usr/bin/wget scanned port 80 on 12 IP Addresses 2 times

Port 80 Scan

Process /usr/lib/apt/methods/http scanned port 80 on 12 IP Addresses 5 times

Port 80 Scan

/root/v.py was downloaded

Download File

Process /usr/bin/python2.7 generated outgoing network traffic to: 207.244.94.68:80, 151.101.2.219:80, shentel.net:80, 204.111.21.7:80 and comcast.net:80

Process /usr/bin/python2.7 attempted to access domains: www.speedtest.net, stosat-rstn-01.sys.comcast.net, s1.speedtest.wdc1.us.leaseweb.net, stosat-malt-01.sys.comcast.net and edinburg.speedtest.shentel.net

DNS Query

Process /usr/bin/python2.7 attempted to access suspicious domains: bigdaddy.wave2net.com

DNS Query Access Suspicious Domain

A possibly malicious Superuser Operation was detected 2 times

Package Install Download Operation Superuser Operation

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password

Successful SSH Login

/root/cinfo was downloaded

Download File

Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.63:80

A possibly malicious Package Install was detected 3 times

Package Install Download Operation Superuser Operation

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com 3 times

DNS Query

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.security.ubuntu.com and security.ubuntu.com 3 times

DNS Query

Process /usr/lib/apt/methods/http generated outgoing network traffic to: canonical.com:80 4 times

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.162:80

Process /usr/bin/wget attempted to access domains: minergate.com

DNS Query

Connection was closed due to timeout

/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_xenial-security_multiverse_binary-amd64_Packages was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_xenial-security_multiverse_i18n_Translation-en was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

Process /usr/lib/apt/methods/store performed bulk changes in {/var/lib/apt} on 33 files

Bulk Files Tampering

Process /usr/lib/apt/methods/http performed bulk changes in {/var/cache/apt/archives/partial} on 102 files

Bulk Files Tampering

Associated Files

/opt/minergate/lib/libOpenCL.so.1.dpkg-new

SHA256: 29bc7ad706ae05afb9beb8a74921ce7295ef39731a84bad68722652a9e94b4ea

32120 bytes

/opt/minergate/lib/libQt5Core.so.5.dpkg-new

SHA256: e69b30f614cfcba2b2a5974f9414f6bbe3592b6c8036582b0903ed7bb8e3d5c5

6232776 bytes

/opt/minergate/lib/libQt5Network.so.5.dpkg-new

SHA256: ee8d6323385ccd6f33ec71b26a608ed61ffc33c68088f55abdf65235088a4780

1523208 bytes

/opt/minergate-cli/minergate-cli.dpkg-new

SHA256: fe3baecb8bde470639f6bb5869202bb6f3bf71dd7ece068fb8f76dc4254ba0f0

14364800 bytes

/root/v.py

SHA256: e681c1502e6328ec479c43c523c2778fd9a93e7755563bfa2bf0f14d5ccf811a

26453 bytes

/root/cinfo

SHA256: df3952bde3cfec659db8ceeec647429f989c958eb20867924182c08f3a14789a

1921 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 78.96.81.132​Previously Malicious