IP Address: 81.180.242.174Malicious
IP Address: 81.180.242.174Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 8080 Scan Successful SSH Login Port 22 Scan 3 Shell Commands SSH SCP Port 80 Scan Access Suspicious Domain Outgoing Connection Download File Superuser Operation Listening |
Associated Attack Servers |
cultimording.org.uk dsl.net eins.jp qwest.net telstra.net ttnet.com.tr 1.1.1.1 31.169.25.190 64.8.212.242 81.70.147.119 95.8.37.82 96.121.102.85 101.42.223.157 101.53.122.229 101.181.133.157 103.69.138.158 124.222.238.185 129.214.38.20 150.158.85.157 192.80.167.239 208.47.222.122 212.146.110.216 |
IP Address |
81.180.242.174 |
|
Domain |
- |
|
ISP |
Institutul National de Cercetare-Dezvoltare in inf |
|
Country |
Romania |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-12-15 |
Last seen in Akamai Guardicore Segmentation |
2023-05-24 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 scanned port 22 on 10 IP Addresses |
Port 8080 Scan Port 22 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 80 on 10 IP Addresses |
Port 8080 Scan Port 22 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 8080 on 10 IP Addresses |
Port 8080 Scan Port 22 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 22 on 32 IP Addresses |
Port 8080 Scan Port 22 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 22 on 32 IP Addresses |
Port 8080 Scan Port 22 Scan Port 80 Scan |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.181.133.157:2222, 101.42.223.157:1234, 101.53.122.229:2222, 102.188.44.31:80, 102.188.44.31:8080, 103.69.138.158:2222, 106.115.130.163:80, 106.115.130.163:8080, 116.62.148.187:80, 116.62.148.187:8080, 119.167.215.144:80, 119.167.215.144:8080, 123.98.67.95:22, 124.222.238.185:1234, 125.214.4.59:80, 125.214.4.59:8080, 129.214.38.20:2222, 13.30.180.136:22, 131.230.215.56:80, 131.230.215.56:8080, 142.116.207.2:80, 142.116.207.2:8080, 143.71.137.142:80, 143.71.137.142:8080, 145.117.160.206:80, 145.117.160.206:8080, 15.53.82.142:22, 150.115.235.4:22, 150.158.85.157:1234, 153.250.74.37:80, 153.250.74.37:8080, 155.159.23.129:80, 155.159.23.129:8080, 158.63.195.32:22, 161.122.204.45:80, 161.122.204.45:8080, 175.166.196.204:22, 183.96.29.197:80, 183.96.29.197:8080, 184.95.3.238:80, 184.95.3.238:8080, 197.210.12.233:80, 197.210.12.233:8080, 198.168.2.71:80, 198.168.2.71:8080, 2.179.221.95:22, 208.47.222.122:2222, 212.146.110.216:2222, 215.68.173.81:80, 215.68.173.81:8080, 221.188.9.216:80, 221.188.9.216:8080, 222.187.152.104:80, 222.187.152.104:8080, 248.228.39.167:80, 248.228.39.167:8080, 250.79.169.164:80, 250.79.169.164:8080, 252.1.59.189:80, 252.1.59.189:8080, 252.185.238.208:80, 252.185.238.208:8080, 28.195.175.8:80, 28.195.175.8:8080, 31.169.25.190:1234, 31.221.123.61:22, 36.235.249.21:80, 36.235.249.21:8080, 36.37.210.107:80, 36.37.210.107:8080, 47.47.90.208:80, 47.47.90.208:8080, 64.8.212.242:2222, 67.18.173.111:80, 67.18.173.111:8080, 67.186.60.217:80, 67.186.60.217:8080, 76.117.114.48:80, 76.117.114.48:8080, 79.226.104.146:80, 79.226.104.146:8080, 81.180.242.174:1234, 81.70.147.119:1234, 82.25.54.71:22, 93.107.110.126:80, 93.107.110.126:8080, 95.8.37.82:2222 and 96.121.102.85:2222 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8088 and 8181 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 8080 Scan Port 22 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 8080 Scan Port 22 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 8080 Scan Port 22 Scan Port 80 Scan |
Process /dev/shm/apache2 attempted to access suspicious domains: cultimording.org.uk, dsl.net, eins.jp, qwest.net and telstra.net |
Outgoing Connection Access Suspicious Domain |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 8080 Scan Port 22 Scan Port 80 Scan |
Connection was closed due to timeout |
|