IP Address: 86.123.183.241Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
86.123.183.241​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

DNS Query Download and Execute Download File Download Operation Malicious File Outgoing Connection Successful SSH Login Download and Allow Execution SSH Package Install Port 22 Scan Human Superuser Operation HTTP SFTP 30 Shell Commands

Connect Back Servers

speedtest.oit.duke.edu _http._tcp.archive.ubuntu.com www.speedtest.net _http._tcp.security.ubuntu.com canonical.com security.ubuntu.com rockymount.speedtest.centurylink.net rdu.ookla.gfsvc.com xmr.pool.minergate.com speed.celito.net sbcglobal.net celito.net qwest.net archive.ubuntu.com zkane.000webhostapp.com duke.edu rdu.speedtest.sbcglobal.net your-server.de

91.189.88.161 94.130.9.194 151.101.2.219 74.113.230.246 91.189.88.162 152.3.103.197 99.24.18.89 205.171.135.26 136.42.34.75 145.14.145.213 145.14.145.83 46.4.120.155 91.189.88.152 176.9.147.178

Basic Information

IP Address

86.123.183.241

Domain

-

ISP

RCS & RDS

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-05-06

Last seen in Guardicore Centra

2018-05-06

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget attempted to access domains: zkane.000webhostapp.com

DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.213:80

Outgoing Connection

The file /root/start was downloaded and executed 15 times

Download and Execute

Process /root/start attempted to access domains: xmr.pool.minergate.com 3 times

DNS Query

Process /root/start generated outgoing network traffic to: 94.130.9.194:45560 2 times

Outgoing Connection

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.security.ubuntu.com and security.ubuntu.com

DNS Query

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.161:80 and 91.189.88.152:80

Outgoing Connection

Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.88.162:80 and 91.189.88.161:80

Outgoing Connection

Process /root/start generated outgoing network traffic to: 46.4.120.155:45560

Outgoing Connection

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: Correct Password 3 times

Successful SSH Login

The file /root/mix/1 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/mix/Desktop.ini was downloaded and granted execution privileges

Download and Allow Execution

The file /root/mix/a was downloaded and granted execution privileges

Download and Allow Execution

The file /root/mix/port was downloaded and granted execution privileges

Download and Allow Execution

The file /root/mix/pscan2.c was downloaded and granted execution privileges

Download and Allow Execution

The file /root/mix/scan.log was downloaded and granted execution privileges

Download and Allow Execution

The file /root/mix/start was downloaded and granted execution privileges

Download and Allow Execution

Process /root/mix/pscan2 generated outgoing network traffic to: 13.73.0.38:22, 13.73.0.47:22, 13.73.0.75:22, 13.73.0.7:22, 13.73.0.28:22, 13.73.0.20:22, 13.73.0.46:22, 13.73.0.59:22, 13.73.0.80:22, 13.73.0.31:22, 13.73.0.17:22, 13.73.0.44:22, 13.73.0.12:22, 13.73.0.24:22, 13.73.0.3:22, 13.73.0.72:22, 13.73.0.22:22, 13.73.0.9:22, 13.73.0.83:22, 13.73.0.27:22, 13.73.0.53:22, 13.73.0.41:22, 13.73.0.56:22, 13.73.0.48:22, 13.73.0.1:22, 13.73.0.88:22, 13.73.0.51:22, 13.73.0.36:22, 13.73.0.78:22, 13.73.0.65:22, 13.73.0.54:22, 13.73.0.71:22, 13.73.0.29:22, 13.73.0.74:22, 13.73.0.58:22, 13.73.0.69:22, 13.73.0.37:22, 13.73.0.55:22, 13.73.0.68:22, 13.73.0.4:22, 13.73.0.84:22, 13.73.0.16:22, 13.73.0.57:22, 13.73.0.33:22, 13.73.0.10:22, 13.73.0.35:22, 13.73.0.87:22, 13.73.0.90:22, 13.73.0.23:22, 13.73.0.15:22, 13.73.0.30:22, 13.73.0.66:22, 13.73.0.25:22, 13.73.0.52:22, 13.73.0.63:22, 13.73.0.11:22, 13.73.0.6:22, 13.73.0.43:22, 13.73.0.5:22, 13.73.0.49:22, 13.73.0.86:22, 13.73.0.64:22, 13.73.0.89:22, 13.73.0.26:22, 13.73.0.82:22, 13.73.0.61:22, 13.73.0.13:22, 13.73.0.70:22, 13.73.0.8:22, 13.73.0.81:22, 13.73.0.76:22, 13.73.0.60:22, 13.73.0.73:22, 13.73.0.40:22, 13.73.0.39:22, 13.73.0.45:22, 13.73.0.77:22, 13.73.0.18:22, 13.73.0.62:22, 13.73.0.85:22, 13.73.0.14:22, 13.73.0.19:22, 13.73.0.34:22, 13.73.0.79:22, 13.73.0.42:22, 13.73.0.21:22, 13.73.0.2:22, 13.73.0.32:22, 13.73.0.67:22 and 13.73.0.50:22

Process /root/mix/pscan2 scanned port 22 on 90 IP Addresses

Port 22 Scan

Connection was closed due to timeout

/root/mix/pscan2.c was identified as malicious by YARA according to rules: Toolkit Thor Hacktools

Malicious File

/root/mix/start was identified as malicious by YARA according to rules: Toolkit Thor Hacktools

Malicious File

/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_xenial-security_multiverse_i18n_Translation-en was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/var/lib/apt/lists/security.ubuntu.com_ubuntu_dists_xenial-security_multiverse_binary-amd64_Packages was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

Associated Files

/root/mix/a

SHA256: fef39f3a0095d263edc9e2e6654602f508407be789b448478011132e386cc0ab

1203 bytes

/root/zRooTScan/pscan2

SHA256: a511a37c9595dbf87167c3be5110d470f04fcaeec81b3f0a99bcb46f165d2857

888972 bytes

/root/zRooTScan/pscan2.c

SHA256: f8c1b66a18ea4ba02bd9e9f20d011a193acce7e1eeb1a753225c0f68382ee05f

6032 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 86.123.183.241​Previously Malicious