Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 81.198.171.29Previously Malicious

IP Address: 81.198.171.29Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

SSH Brute Force 3 Shell Commands Outgoing Connection Download File Successful SSH Login Log Tampering HTTP Download Operation SSH Access Suspicious Domain

Associated Attack Servers

ip-51-38-244.eu

51.38.244.192

Basic Information

IP Address

81.198.171.29

Domain

-

ISP

Lattelecom

Country

Latvia

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2020-03-31

Last seen in Akamai Guardicore Segmentation

2020-04-01

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List (Part of a Brute Force Attempt)

SSH Brute Force Successful SSH Login

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password (Part of a Brute Force Attempt)

SSH Brute Force Successful SSH Login

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password (Part of a Brute Force Attempt)

SSH Brute Force Successful SSH Login

A possibly malicious Download Operation was detected 6 times

Download Operation

History File Tampering detected from /usr/sbin/sshd 3 times

Log Tampering

Process /bin/bash generated outgoing network traffic to: 51.38.244.192:80

Outgoing Connection

Process /bin/bash attempted to access suspicious domains: ip-51-38-244.eu

Access Suspicious Domain Outgoing Connection

Process /usr/bin/wget generated outgoing network traffic to: 51.38.244.192:80

Outgoing Connection

Process /bin/bash generated outgoing network traffic to: 51.38.244.192:80

Outgoing Connection

Process /usr/bin/wget attempted to access suspicious domains: ip-51-38-244.eu

Access Suspicious Domain Outgoing Connection

Process /bin/bash attempted to access suspicious domains: ip-51-38-244.eu

Access Suspicious Domain Outgoing Connection

/tmp/bot.pl was downloaded

Download File

/tmp/bot.pl.1 was downloaded

Download File

/tmp/bot.pl.2 was downloaded

Download File

Connection was closed due to timeout