IP Address: 86.127.31.73Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
86.127.31.73​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

SSH Access Suspicious Domain Superuser Operation Download Operation Download File DNS Query Human Download and Allow Execution Successful SSH Login SFTP 27 Shell Commands Log Tampering

Associated Attack Servers

www.fanelishere.tk www.speedtest.net cybernetik.3x.ro fanelishere.tk

Basic Information

IP Address

86.127.31.73

Domain

-

ISP

RCS & RDS

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-09-15

Last seen in Guardicore Centra

2019-09-21

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

A possibly malicious Superuser Operation was detected

Superuser Operation Download Operation

A user logged in using SSH with the following credentials: root / *********** - Authentication policy: Correct Password 2 times

Successful SSH Login

A possibly malicious Download Operation was detected 2 times

Superuser Operation Download Operation

Process /usr/bin/wget attempted to access suspicious domains: fanelishere.tk

Access Suspicious Domain DNS Query

/root/info was downloaded

Download File

/root/v.py was downloaded 2 times

Download File

Process /usr/bin/wget attempted to access suspicious domains: www.fanelishere.tk

Access Suspicious Domain DNS Query

Process /usr/bin/python2.7 attempted to access domains: www.speedtest.net 2 times

DNS Query

/root/gosh.zip.filepart was downloaded

Download File

The file /root/gosh/1 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/3 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/2 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/anti-blackdor.anti was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/bios.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/clean was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/cleanlist was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/dup.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/eof.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/mfu.txt was downloaded and granted execution privileges 2 times

Download and Allow Execution

The file /root/gosh/go was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/pass_file was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/random was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/motd was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/vuln.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/screen was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/vuln1.txt was downloaded and granted execution privileges

Download and Allow Execution

Log File Tampering detected from /bin/bash on the following logs: /var/log/alternatives.log, /var/log/apt, /var/log/apt/apt.log, /var/log/apt/history.log, /var/log/apt/term.log, /var/log/auth.log, /var/log/bootstrap.log, /var/log/btmp, /var/log/dmesg, /var/log/dpkg.log, /var/log/faillog, /var/log/fontconfig.log, /var/log/fsck, /var/log/fsck/checkfs, /var/log/fsck/checkroot, /var/log/kern.log, /var/log/lastlog, /var/log/ntpstats, /var/log/syslog and /var/log/wtmp

Log Tampering

History File Tampering detected from /bin/bash on the following logs: /root/.bash_history

Log Tampering

Log File Tampering detected from /bin/bash on the following logs: /var/log/alternatives.log, /var/log/apt, /var/log/auth.log, /var/log/bootstrap.log, /var/log/btmp, /var/log/dmesg, /var/log/dpkg.log, /var/log/faillog, /var/log/fontconfig.log, /var/log/fsck, /var/log/kern.log, /var/log/lastlog, /var/log/ntpstats, /var/log/syslog and /var/log/wtmp

Log Tampering

History File Tampering detected from /bin/bash on the following logs: /root/.bash_history

Log Tampering

The file /root/gosh/bios.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/dup.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/vuln.txt was downloaded and granted execution privileges

Download and Allow Execution

Log File Tampering detected from /bin/bash on the following logs: /var/log/alternatives.log, /var/log/apt, /var/log/auth.log, /var/log/bootstrap.log, /var/log/btmp, /var/log/dmesg, /var/log/dpkg.log, /var/log/faillog, /var/log/fontconfig.log, /var/log/fsck, /var/log/kern.log, /var/log/lastlog, /var/log/ntpstats, /var/log/syslog and /var/log/wtmp

Log Tampering

History File Tampering detected from /bin/bash on the following logs: /root/.bash_history

Log Tampering

Log File Tampering detected from /bin/bash on the following logs: /var/log/alternatives.log, /var/log/apt, /var/log/auth.log, /var/log/bootstrap.log, /var/log/btmp, /var/log/dmesg, /var/log/dpkg.log, /var/log/faillog, /var/log/fontconfig.log, /var/log/fsck, /var/log/kern.log, /var/log/lastlog, /var/log/ntpstats, /var/log/syslog and /var/log/wtmp

Log Tampering

History File Tampering detected from /bin/bash on the following logs: /root/.bash_history

Log Tampering

Connection was closed due to timeout

Associated Files

/var/tmp/zone/screen.filepart

SHA256: 2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80

249980 bytes

/var/tmp/gosh/1

SHA256: 246fcc88606c73771e9ccfed22be1ee97636f65156b1076db2e506e16e732db3

189 bytes

/var/tmp/gosh/random

SHA256: 6d8ffb2449a2e56d63c23e66aa367bd3a610adf96b288dfc8e52bffda15751af

184 bytes

/.sal/groot/go~

SHA256: 41c3ee93f8d79479d09ab1771be47ef4eac2a0829fc2d4f2d97320de509b9b84

815 bytes

/var/tmp/gosh/2

SHA256: 42237dd0eeacbddd1e07df21cd437cdf9c1b0282ac7b565d51589e57b39bffd1

119 bytes

/var/tmp/gosh/3

SHA256: c2c5e4a271f8af56df3c091397e9db498f48434001e3d8b7e63cadd902e5adc9

187 bytes

/var/tmp/gosh/anti-blackdor.anti

SHA256: ff2d1dfec0d7f40d0045942cceda733184cbaf57fcf3e251c2e52b231ec4cefe

12780 bytes

/root/info

SHA256: 41bf5114307e1587974d3b36f4c5e71e46192027c67ccf51e0d5ddfcd3239251

5487 bytes

/root/v.py

SHA256: c3c7ddd7069aeaf4213a593e8f142410cc39ac7c337171fb1f3c5eafccea6043

49683 bytes

/root/gosh.zip.filepart

SHA256: 7e93262fc0b605814727a9b8a9d3b3b591e6ddf5cbb61189ee8831478edd436a

145432 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 86.127.31.73​Previously Malicious