IP Address: 80.211.48.109Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
80.211.48.109​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

HadoopYARN

Tags

HTTP HadoopYARN Malicious File IDS - Web Application Attack Outgoing Connection Download and Allow Execution Download and Execute Download File Inbound HTTP Request

Associated Attack Servers

hukot.net

104.40.157.159 46.36.37.121

Basic Information

IP Address

80.211.48.109

Domain

-

ISP

Aruba S.p.A.

Country

Italy

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-10-28

Last seen in Guardicore Centra

2018-11-03

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

Process /usr/bin/wget generated outgoing network traffic to: hukot.net:80 8 times

Outgoing Connection

The file /tmp/weed.sh was downloaded and granted execution privileges

Download and Allow Execution

IDS detected Web Application Attack : 401TRG Generic Webshell Request - POST with wget in body

IDS - Web Application Attack

The file /tmp/weedntpd was downloaded and granted execution privileges

Download and Allow Execution

/tmp/weedntpd was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

The file /tmp/weedsshd was downloaded and granted execution privileges

Download and Allow Execution

/tmp/weedsshd was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

The file /tmp/weedopenssh was downloaded and granted execution privileges

Download and Allow Execution

/tmp/weedopenssh was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

The file /tmp/weedbash was downloaded and executed 2 times

Download and Execute

The file /tmp/weedtftp was downloaded and granted execution privileges

Download and Allow Execution

/tmp/weedtftp was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

The file /tmp/weedwget was downloaded and executed 3 times

Download and Execute

Process /tmp/weedwget generated outgoing network traffic to: hukot.net:415

Outgoing Connection

Process /usr/local/bin/dash generated outgoing network traffic to: hukot.net:80

Outgoing Connection

The file /tmp/weedcron was downloaded and granted execution privileges

Download and Allow Execution

/tmp/weedcron was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

The file /tmp/weedftp was downloaded and executed 2 times

Download and Execute

Process /usr/bin/wget generated outgoing network traffic to: 46.36.37.121:80 5 times

Outgoing Connection

The file /tmp/weedpftp was downloaded and granted execution privileges

Download and Allow Execution

/tmp/weedpftp was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

The file /tmp/weedsh was downloaded and granted execution privileges

Download and Allow Execution

/tmp/weedsh was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

The file /tmp/weedshit was downloaded and granted execution privileges

Download and Allow Execution

/tmp/weedshit was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

The file /tmp/weedapache2 was downloaded and granted execution privileges

Download and Allow Execution

/tmp/weedapache2 was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

Connection was closed due to timeout

/tmp/weedftp was identified as malicious by YARA according to rules: Maldoc Somerules, Malw Gafgyt and 000 Common Rules

Malicious File

/tmp/weedwget was identified as malicious by YARA according to rules: Maldoc Somerules, Malw Gafgyt and 000 Common Rules

Malicious File

/tmp/weedbash was identified as malicious by YARA according to rules: Malw Gafgyt and 000 Common Rules

Malicious File

Associated Files

/tmp/weed.sh

SHA256: 03b6aeb9c5021d7a61affe6a36e67d2d493f519fcfed5b89186239c9b15e128f

1817 bytes

/tmp/weedntpd

SHA256: fdc8d2e3685596268270d735e4d55c8e8df532b977c1cb84b428f66dbee9e57a

257952 bytes

/tmp/weedsshd

SHA256: f360915f4a95aed489d4e8ed1d9e709ea5462621c59f3ae25fb408bfe31b49e9

258080 bytes

/tmp/weedopenssh

SHA256: dae9a75cdedbb8ae9c88099a79dba4fc610461aa8250e3a158b0f2850908787a

206882 bytes

/tmp/weedbash

SHA256: 50be3cc46cf5bcc51bf95b4697b335e6c8c718f9b0ffea32bcb2cdd4d774552f

302388 bytes

/tmp/weedtftp

SHA256: cc5344fa7dfbf48a4f48cad9c784d96c9ae5515b675f707adaf653b5a818b810

241938 bytes

/tmp/weedwget

SHA256: a220c3b7dd4b5284463593809d283ee689bb7a7e31609e21d0f2038dd189d0cf

199409 bytes

/tmp/weedcron

SHA256: 9b59fae5a906382968e118769a92b0aa97afffca259196c48d2ed27908a98246

220334 bytes

/tmp/weedftp

SHA256: c13878f425167995ea5329706257f9493be43c2bd0ac610bd91d5ab5e0a05d95

198353 bytes

/tmp/weedpftp

SHA256: 7d954466477328e082702cf35c00548b7ac1b60fa652730495bd8309efa97c89

219164 bytes

/tmp/weedsh

SHA256: 55e994bf31d79e1baf79e15b1cd6fbea4650b536da4b2b9dd7e1d356e83b0f08

233075 bytes

/tmp/weedshit

SHA256: 846a639805f9e37c68f281b5753fd3988f8e32b212d10ad8927cd5b45a3ba101

227414 bytes

/tmp/weedapache2

SHA256: 1bb8db47dbb5e1c790ca7464bcd8763f74191c5969d93ab460b7a54a7d379dc5

220852 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 80.211.48.109​Previously Malicious