IP Address: 81.101.133.81Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
81.101.133.81​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

- SSH

Tags

Successful SSH Login Human Download and Allow Execution Package Install Malicious File 24 Shell Commands Access Suspicious Domain Bulk Files Tampering Listening DNS Query Kill Process Port 80 Scan SSH Brute Force SSH Download Operation HTTP Download File

Associated Attack Servers

klebitz.cf ookla.net.unc.edu altervista.org suddenlink.net speedtest31.suddenlink.net rockymount.speedtest.centurylink.net your-server.de www.mercenaru.altervista.org arhivecodex.tk rdu.speedtest.sbcglobal.net homologacao.cloud duke.edu speed.celito.net sbcglobal.net unc.edu celito.net nasapaul.com rdu.ookla.gfsvc.com www.speedtest.net archive.ubuntu.com speedtest.oit.duke.edu centurylink.net blazingfast.io qwest.net

99.24.18.89 167.99.0.5 136.42.34.74 167.99.0.2 145.14.145.154 136.243.110.139 167.99.0.6 167.99.0.3 167.99.0.7 176.9.147.178 167.99.0.1 74.113.230.246 185.61.137.36 205.171.135.26 152.19.255.126 145.14.144.105 167.99.0.4 72.21.92.82 151.101.2.219 136.42.34.75 152.3.103.197 208.180.158.146

Basic Information

IP Address

81.101.133.81

Domain

-

ISP

Virgin Media

Country

United Kingdom

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-03-18

Last seen in Guardicore Centra

2018-10-07

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List (Part of a Brute Force Attempt)

Successful SSH Login SSH Brute Force

Process /usr/bin/wget attempted to access suspicious domains: nasapaul.com 2 times

Access Suspicious Domain DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 185.61.137.36:80 2 times

Process /usr/bin/python2.7 scanned port 80 on 10 IP Addresses

Port 80 Scan

Process /usr/bin/wget scanned port 80 on 10 IP Addresses 3 times

Port 80 Scan

Process /usr/lib/apt/methods/http scanned port 80 on 10 IP Addresses

Port 80 Scan

/root/ninfo was downloaded

Download File

/root/v.py was downloaded

Download File

Process /usr/bin/python2.7 attempted to access domains: rockymount.speedtest.centurylink.net, www.speedtest.net, speedtest31.suddenlink.net and rdu.speedtest.sbcglobal.net

DNS Query

Process /usr/bin/python2.7 generated outgoing network traffic to: 205.171.135.26:80, 208.180.158.146:80, 74.113.230.246:80, 136.42.34.75:80, 72.21.92.82:80, 99.24.18.89:80 and 136.42.34.74:80

Process /usr/bin/python2.7 attempted to access suspicious domains: rdu.ookla.gfsvc.com and speed.celito.net

Access Suspicious Domain DNS Query

A user logged in using SSH with the following credentials: root / *********************** - Authentication policy: Correct Password (Part of a Brute Force Attempt) 2 times

Successful SSH Login SSH Brute Force

Process /usr/sbin/sshd started listening on ports: 22

Listening

Process /usr/bin/wget generated outgoing network traffic to: 145.14.144.129:80

Process /usr/bin/wget attempted to access suspicious domains: klebitz.cf

Access Suspicious Domain DNS Query

/root/f.zip was downloaded

Download File

The file /root/f/a was downloaded and granted execution privileges

Download and Allow Execution

The file /root/f/brute was downloaded and granted execution privileges

Download and Allow Execution

The file /root/f/hu was downloaded and granted execution privileges

Download and Allow Execution

The file /root/f/mass was downloaded and granted execution privileges

Download and Allow Execution

The file /root/f/passfile was downloaded and granted execution privileges

Download and Allow Execution

The file /root/f/vuln was downloaded and granted execution privileges

Download and Allow Execution

/root/f/passfile was identified as malicious by YARA according to rules: Apt Apt1

Malicious File

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.91.23:80

/var/lib/dpkg/tmp.ci/control was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

Connection was closed due to timeout

Process /usr/lib/apt/methods/http performed bulk changes in {/var/cache/apt} on 37 files

Bulk Files Tampering

Process /usr/bin/dpkg performed bulk changes in {/} on 870 files

Bulk Files Tampering

Associated Files

/v.py

SHA256: 00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc

25470 bytes

/var/tmp/ninfo

SHA256: f7705ce1f52afc75024ec31dbe11ed7d5627d38bf497a81a4946f0ceea837453

4142 bytes

/var/tmp/.new/autorun

SHA256: 61d056d05b6f8e5a60a9483671e661358104c65690e9187eefd91a70455ac0ca

319 bytes

/var/tmp/.new/httpd.conf

SHA256: d4ec78f0489509a7c8cc253d2d77e283e0f9b2abc657edac6c1595b3749a21ed

2173185 bytes

/var/tmp/mina/mina/update

SHA256: 2497ab857c9e0124fb6b3e887b153472f3558eb0f41f98b7f2cbdd74e97f0a0a

176 bytes

/var/tmp/.sal/ninfo

SHA256: 84eada15f75e523cb7da2e92a76eb0cfa595579f1248fb1bb2120138aa3dd979

4315 bytes

/root/ninfo.txt

SHA256: 0c245f3125cc755e07a94ae3a3d7f433d75f5f0c2eafeb89ad80675645faebe0

4225 bytes

/root/xmr.zip.filepart

SHA256: 1f5e62a8c7cd8735056f726cc40d1eddc3c358a418f4ca246d1d475d9c1c5fd8

841414 bytes

/root/xmr/zone_run

SHA256: 8994f0ed663343c910d937fc478ad0d16cf26917dd49dea8bfd06f6084b64546

107 bytes

/root/f.zip

SHA256: 142a903a2e275a71e0a4d5a74098cd43ecf0719706519cfc9b8040a67cc77d52

901966 bytes

/root/f/a

SHA256: 33bbd4a824fdde9b188f52ad3f981b26ff92f0deffdd14c312f89e4b1dcd0b66

54 bytes

/root/md.gif

SHA256: c729d5f445419fae2ee8e9c948a15393b48efc189fc225512559544d6cb67309

1026470 bytes

/root/mix.zip

SHA256: 0ca04868632cd23698e2a494537b297e3757de310311f4abae754e9d137213f4

690129 bytes

/root/linux-ssh.zip

SHA256: eab3a66816c6f66c5e562468d282a261e8caab3a3f7b8da61802cfd4f322b1e0

691676 bytes

/root/linux-ssh/pscan2

SHA256: 8a00578a75cff11c44e77180bfad09466ea264122ccde1d07fbcac63da0a15a4

12416 bytes

/root/linux-ssh/sshd

SHA256: 5dae51a49a48b68a0f1ed510fed50a464ad589e66a121e3efe8ce1bbfedea833

1485768 bytes

/root/linux-ssh/x

SHA256: 4b1703d7b73b09a4e22953ed3fbe6dda50167aa2f95e754cf018992089acb9c5

327 bytes

/var/tmp/v.py

SHA256: edf41a9a5bb95038111e2cc649107b815ee4504575adc0d492a737ad180c46b1

48890 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 81.101.133.81​Previously Malicious