IP Address: 79.112.53.113Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
79.112.53.113​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

Log Tampering Outgoing Connection Download and Execute 30 Shell Commands Download Operation Package Install Successful SSH Login SFTP DNS Query Bulk Files Tampering SSH Human Download and Allow Execution Download File Access Suspicious Domain

Associated Attack Servers

security.ubuntu.com dl.packetstormsecurity.net atw.hu archive.ubuntu.com sad.kire.net hostsailor.com undernet.org _http._tcp.security.ubuntu.com _http._tcp.archive.ubuntu.com the-indian.net

27.131.104.74 45.58.135.130 185.198.56.60 94.125.182.255

Basic Information

IP Address

79.112.53.113

Domain

-

ISP

RCS & RDS

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-10-17

Last seen in Guardicore Centra

2019-10-20

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 2 times

Download Operation Package Install

History File Tampering detected from /bin/bash 2 times

Log Tampering

Process /usr/bin/wget attempted to access domains: dl.packetstormsecurity.net

DNS Query

Log File Tampering detected from /bin/bash on the following logs: /var/log/lastlog and /var/log/wtmp

Log Tampering

The file /var/log/lastlog was downloaded and granted execution privileges

Download and Allow Execution

The file /var/log/wtmp was downloaded and granted execution privileges

Download and Allow Execution

A possibly malicious Package Install was detected 4 times

Download Operation Package Install

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.security.ubuntu.com and security.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com

DNS Query

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password

Successful SSH Login

/var/tmp/thebot.tgz.filepart was downloaded

Download File

The file /var/tmp/statistics/run64 was downloaded and executed 7 times

Download and Execute

The file /tmp/_MEIg0pxc2/datetime.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_codecs_tw.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/cPickle.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/unicodedata.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_codecs_iso2022.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_codecs_hk.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/bz2.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_codecs_cn.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_codecs_kr.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/pyexpat.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_weakref.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/audioop.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_multibytecodec.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_codecs_jp.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/readline.so was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/libbz2.so.1 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/libkeyutils.so.1 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/libk5crypto.so.3 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/libcrypto.so.10 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/libgssapi_krb5.so.2 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/libpython2.6.so.1.0 was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/_struct.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/libssl.so.10 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/zlib.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/binascii.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/libkrb5support.so.0 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/math.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/_random.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/libcom_err.so.2 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/strop.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/fcntl.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/libkrb5.so.3 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/array.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/_socket.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/libselinux.so.1 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_ssl.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/cStringIO.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/libz.so.1 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/termios.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/time.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/libexpat.so.1 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/operator.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/_collections.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/libtinfo.so.5 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/itertools.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/select.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/libreadline.so.6 was downloaded and granted execution privileges

Download and Allow Execution

The file /tmp/_MEIg0pxc2/_functools.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/_bisect.so was downloaded and loaded by /var/tmp/statistics/run64

Download and Execute

The file /tmp/_MEIg0pxc2/_heapq.so was downloaded and loaded by /var/tmp/statistics/run64 2 times

Download and Execute

The file /tmp/_MEIg0pxc2/_locale.so was downloaded and loaded by /var/tmp/statistics/run64 3 times

Download and Execute

Process /var/tmp/statistics/run64 generated outgoing network traffic to: 185.198.56.60:6667, 27.131.104.74:6667, 45.58.135.130:6667 and 94.125.182.255:6667

Outgoing Connection

Process /var/tmp/statistics/run64 attempted to access suspicious domains: the-indian.net

Outgoing Connection Access Suspicious Domain

Connection was closed due to timeout

Process /var/tmp/statistics/run64 performed bulk changes in {/tmp/_MEIg0pxc2} on 51 files

Bulk Files Tampering

Associated Files

/tmp/_MEIUB24Wu/_struct.so

SHA256: cd5b24f2d53427355f5e8bbc066820d4e949b5a9a8526b36d0eb745f7e8bd3b5

37840 bytes

/var/tmp/statistics/run64

SHA256: bd446f90188ce8725bca6e3add37f657259ae73768edb5ef42cff1641cfeb4ea

4626914 bytes

/tmp/_MEIUy2oHa/datetime.so

SHA256: c581aa6ceee3905052f368dc66bb1928b37c38aca2ffc5c6ded3ce7fbc474db5

81256 bytes

/tmp/_MEIUy2oHa/_codecs_tw.so

SHA256: 049c314915a330a887ec242561446b3a3f884eb60410358c3bb1c58a695aabab

108008 bytes

/tmp/_MEIUy2oHa/cPickle.so

SHA256: 12b753015e3ff2f6c430f4c4fd490bbee6e54ad3c9c55e0dabbb01331082ac99

75664 bytes

/tmp/_MEIUy2oHa/unicodedata.so

SHA256: 429f0330b5a8f178409b3c50056ab775150cdc68ed3442fef305c90c992a16d5

590000 bytes

/tmp/_MEIUB24Wu/strop.so

SHA256: 895e5b95de1ad3b43c87fb119f177a19a159af14bb0d670998c4718f03541c9f

25288 bytes

/tmp/_MEIUy2oHa/_codecs_iso2022.so

SHA256: cc1d91144d47242d5ef1d3229de9e5b4cca734115402c67bc9a63dd9ef16acf0

21104 bytes

/tmp/_MEIUB24Wu/cStringIO.so

SHA256: f5151c8a85704f35cf046bfbbc42298027a149a62ad09712b89d1be392f667cb

19248 bytes

/tmp/_MEIUy2oHa/_codecs_hk.so

SHA256: 71f9654eb62e4b604ad093b914386288ffdee77bcd2f36c9c3a797978ef73bd0

154536 bytes

/tmp/_MEIUy2oHa/bz2.so

SHA256: 12edbdd399c8e059e8033ff323f9f2e9644846d1cafde7e4c3cc5ee90a178041

35696 bytes

/tmp/_MEIUB24Wu/_ssl.so

SHA256: ed07035ce42e7b0afb002133b6a3fe3d05781e85007c3e8dc58138a08acf81d2

34112 bytes

/tmp/_MEIUy2oHa/_codecs_cn.so

SHA256: cd8bd1a3015f3619738442a0b75534dee3fd3aed09e09d064690e9854471e2dc

146568 bytes

/tmp/_MEIUB24Wu/fcntl.so

SHA256: 5daa98b9bb80585042cffaa5b8ba0d65a0a9d37fe9a8fa162cefadf9ce5459bc

14632 bytes

/tmp/_MEIUy2oHa/_codecs_kr.so

SHA256: 323a9336bb5c7c5b2a061209d5a491ae06097a07eae596f6d48e83940ebde7f9

133000 bytes

/tmp/_MEIUy2oHa/pyexpat.so

SHA256: dac3ba54b6a5e18dad30f5cac8a633a31ad8abd6dda135d54eec0525eb734114

50280 bytes

/tmp/_MEIUy2oHa/_weakref.so

SHA256: fc56ff7755f2dc8078ed7d8c073f723086c890503c8fe320ff13ba839806c7f3

7208 bytes

/tmp/_MEIUy2oHa/audioop.so

SHA256: 5018128b34dc180ecd48f3dbc96f31009b435878963bf5858be48695aaddad40

24040 bytes

/tmp/_MEIUy2oHa/_multibytecodec.so

SHA256: 85b0c8d8b8270b9eb182d8a12a71c67e874b60e9ffdbf6e585a6f59d6225525f

31504 bytes

/tmp/_MEIUB24Wu/operator.so

SHA256: ebd42cf1dd7eaf636c62a5369449a542ea4bcabf20e3aa1f75f382b518069136

38608 bytes

/tmp/_MEIUy2oHa/_codecs_jp.so

SHA256: fddb5e374bd697959e4a641398910a922baf0b83d435ef44e470396d7559c47a

261608 bytes

/tmp/_MEIUy2oHa/readline.so

SHA256: 407285330ff6854851659634afb95f4a59c0ff51382d3c305ea3b1b9fd29f8db

24008 bytes

/tmp/_MEIYwFatE/libbz2.so.1

SHA256: 13e8c34510e3b80e38ae1a740918342b7e926265ce74d2d7a45a3ef24fb3d79c

67592 bytes

/tmp/_MEIUB24Wu/libkeyutils.so.1

SHA256: 46af1450289b5a92816afe4e73accdd507412d2e912fe203d8204f7a37696805

10192 bytes

/tmp/_MEIUB24Wu/libk5crypto.so.3

SHA256: 865584c714a39baf3a1621285a8473f68b0a6146a991755602017b957a2eda9e

178952 bytes

/tmp/_MEITo5vcT/libgssapi_krb5.so.2

SHA256: 5b5d573ad1fb300ed18748412ac73a5cc0ec55a61ce1c699ca7c960aee18223a

269472 bytes

/tmp/_MEIUB24Wu/libkrb5support.so.0

SHA256: ae69f36ce9742cc2e560745abf6ca4673d2d1924d18aaa010ca48a30abd1054a

43696 bytes

/tmp/_MEIUB24Wu/libselinux.so.1

SHA256: 3827393d203e175ba940350cee5d3e14162b52f9aa40695d7b2b62336cbc56f8

122040 bytes

/tmp/_MEIYwFatE/libexpat.so.1

SHA256: ad3c6edc2b5d8e35dc37928d1c0ad1dc593d4e44bc9f48e5d75965fc4493dd78

165264 bytes

/tmp/_MEIUy2oHa/libtinfo.so.5

SHA256: 1b0474aefc2e65e5e46a8d95e775fdd4f7d148ef1a9d05feb6c37d0482267eaf

135896 bytes

/tmp/_MEIUy2oHa/libreadline.so.6

SHA256: 4879bed2c2587883fc892bbb0372a7868b7d1e976eac7e9868cf336667a8927a

269560 bytes

/tmp/_MEIUB24Wu/libssl.so.10

SHA256: c059379321d88a92f80aed316e9a0d7c9fbf98e0d35a42af6055d701b9b53621

436984 bytes

/tmp/_MEITo5vcT/libcom_err.so.2

SHA256: 3b0b02124dfdddd447a3ac26b842c9cc4cd674dbe436881c9340c730d3e8d134

14664 bytes

/tmp/_MEIUB24Wu/libz.so.1

SHA256: eb09ad1db69d11d60b4d5af2529f24ef2b9a03925e0c7d515495aa2f3d777439

88600 bytes

/tmp/_MEIUB24Wu/zlib.so

SHA256: d6f9461b85d8f79daa540d192251981fd72f5e2fb63146a9368adbefa3456759

23784 bytes

/tmp/_MEIUB24Wu/binascii.so

SHA256: cf07f4c01e4784aeffbff023e4e16710ed2d965d787bf51e823b539b2ca5405a

20976 bytes

/tmp/_MEIUB24Wu/math.so

SHA256: 2a0f0d44d6ac6ac6bea9f9b7cf34c322cb98415b2fc8d6d0c24f5fb4b838d337

26408 bytes

/tmp/_MEIUB24Wu/array.so

SHA256: 426ed571ee6ea22644f91895c2fd18e5e392ef93a1b53dced8f9fb27ac39af12

41408 bytes

/tmp/_MEIUB24Wu/_socket.so

SHA256: 0f28dc3fd8746d21c1ec4a6521fe110dc284bff9c325d214bf0b73ffe72d9c93

60752 bytes

/tmp/_MEITo5vcT/termios.so

SHA256: 234d0b74b60c244d807cea467dc28f198721d3ea0e1c06f2f12aa399f27ec153

25160 bytes

/tmp/_MEIUB24Wu/time.so

SHA256: 9f447c3bc828105c160d4b3aed12941871566359233e9ef852e5dc13878af652

20328 bytes

/tmp/_MEIUB24Wu/_collections.so

SHA256: 4aa52f529c4496b88f15fad3f3cf53e4997fb2630fa91520d8f154ad1d679afd

28112 bytes

/tmp/_MEIUB24Wu/itertools.so

SHA256: 549d5ef5babb1a6c139c6baabffe3b100269f350d6944a25cb7b8a34e22166a0

54896 bytes

/tmp/_MEIUB24Wu/select.so

SHA256: 8c341798e4530c54b54549d6b5f74a8ece12cf1a4263dc5d36f01e234778d3d8

24432 bytes

/tmp/_MEIUB24Wu/_bisect.so

SHA256: 8a46d92a1b2b38398af3b9eed943e5141386353fae6829d83430218509cb5eaf

9872 bytes

/tmp/_MEIUB24Wu/_locale.so

SHA256: 7f6058a7298d5e8addcdfb29040d148ec5a353b580e36d7435edde04f0392561

21608 bytes

/tmp/_MEIUB24Wu/libcrypto.so.10

SHA256: a331ed7ad94a16a518f101b01e15e6752938b84acd99b3144c78f8996e9cc1d2

1946880 bytes

/tmp/_MEIUB24Wu/libkrb5.so.3

SHA256: efa59ef60c9c9aae204bfa8ddcf47c588878c0b6f7cd9c62254022e99fea8513

912944 bytes

/tmp/_MEIUB24Wu/libpython2.6.so.1.0

SHA256: 7d7372cdb0d07273d08c22abe496140d1a9a752f2717a20132d818afd85d85da

1669872 bytes

/tmp/_MEITo5vcT/_random.so

SHA256: 04a4f67217c15ffbe2031ec34804184f5ae2dab2e351902faad7529767640bce

12680 bytes

/tmp/_MEIUB24Wu/_functools.so

SHA256: 534e9b74d773f754e49c62d6a4230f1a84505deb8b984a8b9f1d6ad7f0cfddda

12256 bytes

/tmp/_MEITo5vcT/_heapq.so

SHA256: f2563ea199fac680d35d68141a74aefcfe7ed3262cfe79e16357697c754a4ccb

22240 bytes

/var/tmp/thebot.tgz.filepart

SHA256: c0ee33923812f61e0ef77d1c72415a98aa382d2140dad9ff3963bad954d20b84

8039318 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 79.112.53.113​Previously Malicious