IP Address: 81.196.218.210Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
81.196.218.210​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

Download Operation Log Tampering Download File Download and Execute Malicious File Outgoing Connection Package Install SSH Download and Allow Execution 14 Shell Commands Successful SSH Login Access Suspicious Domain HTTP DNS Query Human

Connect Back Servers

archive.ubuntu.com ipscat.hi2.ro poneytelecom.eu canonical.com adminer.net

212.129.53.225 89.42.39.67 91.189.88.149 91.189.88.161

Basic Information

IP Address

81.196.218.210

Domain

-

ISP

RCS & RDS

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-06-21

Last seen in Guardicore Centra

2017-06-22

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Log File Tampering detected from /bin/bash on the following logs: /var/log/lastlog and /var/log/wtmp

Log Tampering

Process /usr/bin/wget attempted to access suspicious domains: adminer.net and poneytelecom.eu

Access Suspicious Domain Outgoing Connection DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 212.129.53.225:80

Outgoing Connection

/root/papuc.tar was identified as malicious by YARA according to rules: Maldoc Somerules, Malw Warp, Antidebug Antivm and Rat Bolonyokte

Malicious File

/root/.x/inst was identified as malicious by YARA according to rules: Malw Warp and Rat Bolonyokte

Malicious File

/root/.x/bash was identified as malicious by YARA according to rules: Maldoc Somerules and Antidebug Antivm

Malicious File

/root/papuc.tar was downloaded

Download File

The file /root/.x was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/autorun was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/run was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/update was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/m.lev was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/inst was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/r was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/cron.d was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/vhosts was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/start was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.149:80

Outgoing Connection

Process /usr/lib/apt/methods/http attempted to access domains: archive.ubuntu.com

DNS Query

The file /root/.x/m.help was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/mech.dir was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/bash was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/share/doc/ftp was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.x/LinkEvents was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/bin/wget attempted to access domains: ipscat.hi2.ro

DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 89.42.39.67:80

Outgoing Connection

The file /root/.zlib/fever was downloaded and executed

Download and Execute

The file /var/lib/dpkg/tmp.ci/postinst was downloaded and granted execution privileges

Download and Allow Execution

The file /var/lib/dpkg/tmp.ci/prerm was downloaded and granted execution privileges

Download and Allow Execution

The file /usr/bin/netkit-ftp.dpkg-new was downloaded and granted execution privileges

Download and Allow Execution

/root/game2.jpg was downloaded

Download File

The file /root/.zlib was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/hide was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/do was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/start2 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/top was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/start was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/screen was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/s was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/end was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/pico was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/kill was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/send was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/pscan2 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/b was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/in was downloaded and granted execution privileges

Download and Allow Execution

The file /root/.zlib/b2 was downloaded and granted execution privileges

Download and Allow Execution

Associated Files

/var/tmp/papuc.tar

SHA256: 0905b3a5257550d87323fa5b9ef5e81e1de94a0982bd0b894187472f68e1ac70

1013760 bytes

/var/tmp/.x/autorun

SHA256: 5f03b45dc87f35120fd01f18150d2c3c807c9dc22d9433208d1bd14d5d581260

317 bytes

/var/tmp/.x/run

SHA256: e0abb3175ea6d042ca49ed299adc0fb2c322ca1e876db21968fc04c90be4fe53

29 bytes

/var/tmp/.x/inst

SHA256: f2ff25084227802fe124a34b3135f5de04c34783ea99ca8d4f7570dbf7bf16d3

340139 bytes

/var/tmp/.x/start

SHA256: f56941ababa95c13d906ac2d8acb613c236d0b193bf22fe35c61803747a7e70c

713 bytes

/var/tmp/.x/m.help

SHA256: 0d1191e8da46fb6461c072b97c94e2b9a139ee6e483a8b615524b47932095d59

22882 bytes

/var/tmp/.x/bash

SHA256: 68aef1145b4e208cf6600d2ccda0080d8ec7a7fe97354b92a7378b81975fbb63

492135 bytes

/root/.x/update

SHA256: e8124f61ca02a594b37ee2ebec4666dbac1f6ed10548ac537f04d903f8bfa718

154 bytes

/var/tmp/game2.jpg

SHA256: ac241b8fa4592f6695b272066d9d88cbf08411b8ebc1f688c69ef82eb40e9a0d

1040100 bytes

/tmp/ /.x/update

SHA256: c3350b211fc520c522d2a4dfa9fd6b75a8009795ac170736f71990d62f5db808

157 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 81.196.218.210​Previously Malicious