IP Address: 86.21.110.23Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
86.21.110.23​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

HTTP Download and Execute DNS Query 8 Ftp Commands Download Operation Port 22 Scan Download File Successful SSH Login SSH Superuser Operation Download and Allow Execution SFTP Outgoing Connection Access Suspicious Domain Human 12 Shell Commands Successful FTP Login

Associated Attack Servers

www.speedtest.net kansascity1.cabospeed.com sbcglobal.net blazingfast.io mci.speedtest.sbcglobal.net nasapaul.com speedtest-kc.kanren.net kanren.net cabospeed.com upnfiber.us upnfiber.com cableone.net speedtest.upnfiber.com kcy.speedtest.t-mobile.com

208.82.109.2 151.101.2.219 185.61.137.36 164.113.48.33 160.3.213.2 99.24.18.61

Basic Information

IP Address

86.21.110.23

Domain

-

ISP

Virgin Media

Country

United Kingdom

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-04-28

Last seen in Guardicore Centra

2019-05-03

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ***** - Authentication policy: White List

Successful SSH Login

A possibly malicious Download Operation was detected 2 times

Download Operation Superuser Operation

Process /usr/bin/wget attempted to access suspicious domains: nasapaul.com 2 times

DNS Query Outgoing Connection Access Suspicious Domain

Process /usr/bin/wget generated outgoing network traffic to: 185.61.137.36:80 2 times

Outgoing Connection

/root/ninfo was downloaded

Download File

/root/v.py was downloaded

Download File

Process /usr/bin/python2.7 generated outgoing network traffic to: 151.101.2.219:443, 151.101.2.219:80, 160.3.213.2:80, 164.113.48.33:8080, 208.82.109.2:443 and 99.24.18.61:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access domains: kcy.speedtest.t-mobile.com and www.speedtest.net 2 times

DNS Query

Process /usr/bin/python2.7 attempted to access suspicious domains: cabospeed.com, kanren.net, kansascity1.cabospeed.com, mci.speedtest.sbcglobal.net, sbcglobal.net, speedtest-kc.kanren.net, speedtest.upnfiber.com and upnfiber.com

DNS Query Outgoing Connection Access Suspicious Domain

A possibly malicious Superuser Operation was detected

Download Operation Superuser Operation

Process /usr/bin/wget attempted to access suspicious domains: nasapaul.com

DNS Query Outgoing Connection Access Suspicious Domain

Process /usr/bin/wget generated outgoing network traffic to: 185.61.137.36:80

Outgoing Connection

/root/v.py.1 was downloaded

Download File

Process /usr/bin/python2.7 generated outgoing network traffic to: 151.101.2.219:443, 151.101.2.219:80, 160.3.213.2:80, 164.113.48.33:8080, 208.82.109.2:443 and 99.24.18.61:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access suspicious domains: cabospeed.com, kanren.net, kansascity1.cabospeed.com, mci.speedtest.sbcglobal.net, sbcglobal.net, speedtest-kc.kanren.net, speedtest.upnfiber.com and upnfiber.com

DNS Query Outgoing Connection Access Suspicious Domain

A user logged in using FTP with the following credentials: root / ******** - Authentication policy: Correct Password

Successful FTP Login

Process /usr/local/sbin/vsftpd started listening on ports: 19669

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: Correct Password 3 times

Successful SSH Login

/boot/vmlinuz-4.4.0-112-generic was downloaded

Download File

/root/rand/go was downloaded

Download File

/root/rand/pass was downloaded

Download File

The file /root/rand/Found.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/rand/scan.log was downloaded and granted execution privileges

Download and Allow Execution

The file /root/rand/Config was downloaded and executed

Download and Execute

Process /root/rand/Config generated outgoing network traffic to: 13.94.0.10:22, 13.94.0.11:22, 13.94.0.12:22, 13.94.0.13:22, 13.94.0.14:22, 13.94.0.15:22, 13.94.0.16:22, 13.94.0.17:22, 13.94.0.18:22, 13.94.0.19:22, 13.94.0.1:22, 13.94.0.20:22, 13.94.0.21:22, 13.94.0.22:22, 13.94.0.23:22, 13.94.0.24:22, 13.94.0.25:22, 13.94.0.26:22, 13.94.0.27:22, 13.94.0.28:22, 13.94.0.29:22, 13.94.0.2:22, 13.94.0.30:22, 13.94.0.31:22, 13.94.0.3:22, 13.94.0.4:22, 13.94.0.5:22, 13.94.0.6:22, 13.94.0.7:22, 13.94.0.8:22 and 13.94.0.9:22

Process /root/rand/Config scanned port 22 on 31 IP Addresses

Port 22 Scan

Connection was closed due to timeout

Associated Files

/v.py

SHA256: 00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc

25470 bytes

/var/tmp/x/haiduc.filepart

SHA256: 6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4

1040592 bytes

/var/tmp/ninfo

SHA256: 19778a62055770a9e5f890e52227ccd39251bf23045c15383411638540ceabf7

2941 bytes

/root/rand/go

SHA256: 25763f129e3fbc0cec09fc18ac1f034e12bdaefd03b11cc201261ed25b66976f

4449 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 86.21.110.23​Previously Malicious