IP Address: 89.33.147.214Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
89.33.147.214​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

SFTP SSH Malicious File DNS Query Download File Superuser Operation Download and Allow Execution 38 Shell Commands Human Log Tampering Access Suspicious Domain Successful SSH Login Bulk Files Tampering Outgoing Connection

Connect Back Servers

www.speedtest.net stosat-rstn-01.sys.comcast.net shentel.net sp1.winchesterwireless.net stosat-malt-01.sys.comcast.net edinburg.speedtest.shentel.net bigdaddy.wave2net.com blazingfast.io arhivecodex.tk darknessnr1.000webhostapp.com comcast.net nasapaul.com

69.241.0.94 145.14.145.158 204.111.5.18 151.101.2.219 69.241.87.90 184.170.114.134 204.111.21.7 145.14.144.182 185.199.108.153 185.61.137.36

Basic Information

IP Address

89.33.147.214

Domain

-

ISP

Digital Cable Systems SA

Country

Romania

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-07-22

Last seen in Guardicore Centra

2018-08-01

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ******** - Authentication policy: White List

Successful SSH Login

A possibly malicious Superuser Operation was detected

Superuser Operation

A user logged in using SSH with the following credentials: root / ************** - Authentication policy: Correct Password 4 times

Successful SSH Login

/root/brute/a was downloaded 2 times

Download File

/root/brute/brute/a was downloaded 2 times

Download File

/root/brute/brute/gasite.txt was downloaded 2 times

Download File

/root/brute/brute/lc was downloaded 2 times

Download File

/root/brute/brute/mix/a was downloaded 2 times

Download File

/root/brute/brute/mix/pass.txt was downloaded 2 times

Download File

/root/brute/brute/mix/pscan was downloaded 2 times

Download File

/root/brute/brute/mix/random was downloaded 2 times

Download File

/root/brute/brute/mix/scan.log was downloaded 2 times

Download File

/root/brute/brute/pass was downloaded 2 times

Download File

/root/brute/brute/scan.log was downloaded 2 times

Download File

/root/brute/gasite.txt was downloaded 2 times

Download File

/root/brute/lc was downloaded 2 times

Download File

/root/brute/mix/a was downloaded 2 times

Download File

The file /root/k.py was downloaded and granted execution privileges

Download and Allow Execution

The file /root/kinfo was downloaded and granted execution privileges

Download and Allow Execution

/root/brute/mix/brute.filepart was downloaded

Download File

/root/brute/mix/pass.txt was downloaded 2 times

Download File

/root/brute/mix/pscan was downloaded 2 times

Download File

/root/brute/mix/random was downloaded 2 times

Download File

/root/brute/mix/scan.log was downloaded 2 times

Download File

/root/brute/pass was downloaded 2 times

Download File

/root/brute/scan.log was downloaded 2 times

Download File

Process /usr/bin/python2.7 attempted to access domains: stosat-rstn-01.sys.comcast.net, www.speedtest.net, stosat-malt-01.sys.comcast.net and edinburg.speedtest.shentel.net

DNS Query

Process /usr/bin/python2.7 generated outgoing network traffic to: 184.170.114.134:80, 151.101.2.219:80, shentel.net:80, 204.111.21.7:80 and comcast.net:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access suspicious domains: sp1.winchesterwireless.net and bigdaddy.wave2net.com

DNS Query Access Suspicious Domain Outgoing Connection

The file /root/gosh/1 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/2 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/3 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/anti-blackdor.anti was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/clean was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/cleanlist was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/go was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/motd was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/pass_file was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/random was downloaded and granted execution privileges

Download and Allow Execution

/root/brute/brute/mix/pscan was identified as malicious by YARA according to rules: Toolkit Thor Hacktools and 000 Common Rules

Malicious File

/root/brute/mix/pscan was identified as malicious by YARA according to rules: Toolkit Thor Hacktools and 000 Common Rules

Malicious File

Log File Tampering detected from /bin/bash on the following logs: /var/log/apt/apt.log, /var/log/auth.log, /var/log/faillog, /var/log/fsck/checkfs, /var/log/syslog, /var/log/fsck, /var/log/dpkg.log, /var/log/ntpstats, /var/log/fontconfig.log, /var/log/apt/term.log, /var/log/apt/history.log, /var/log/alternatives.log, /var/log/kern.log, /var/log/btmp, /var/log/fsck/checkroot, /var/log/lastlog, /var/log/wtmp, /var/log/bootstrap.log, /var/log/apt and /var/log/dmesg

Log Tampering

History File Tampering detected from /bin/bash on the following logs: /root/.bash_history 3 times

Log Tampering

The file /root/gosh/mfu.txt was downloaded and granted execution privileges 2 times

Download and Allow Execution

Log File Tampering detected from /bin/bash on the following logs: /var/log/wtmp, /var/log/faillog, /var/log/ntpstats, /var/log/syslog, /var/log/fsck, /var/log/dpkg.log, /var/log/fontconfig.log, /var/log/alternatives.log, /var/log/btmp, /var/log/kern.log, /var/log/lastlog, /var/log/auth.log, /var/log/bootstrap.log, /var/log/apt and /var/log/dmesg 2 times

Log Tampering

The file /root/gosh/bios.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/dup.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/vuln.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/vuln1.txt was downloaded and granted execution privileges

Download and Allow Execution

/root/gosh/motd was identified as malicious by YARA according to rules: Packer Compiler Signatures

Malicious File

/root/gosh/pass_file was identified as malicious by YARA according to rules: Suspicious Strings

Malicious File

/root/gosh/anti-blackdor.anti was identified as malicious by YARA according to rules: 000 Common Rules

Malicious File

Connection was closed due to timeout

Process /usr/lib/openssh/sftp-server performed bulk changes in {/root} on 32 files

Bulk Files Tampering

Process /usr/lib/openssh/sftp-server performed bulk changes in {/root} on 45 files

Bulk Files Tampering

Associated Files

/v.py

SHA256: 00e430b733cf199747c9c6e0f2e2fae6a045bbed9c0f0f993112b301fcdf5dbc

25470 bytes

/var/tmp/x/haiduc.filepart

SHA256: 6163a3ca3be7c3b6e8449722f316be66079207e493830c1cf4e114128f4fb6a4

1040592 bytes

/var/tmp/zone/screen.filepart

SHA256: 2413af510a75ada34716165992a425b35f62ba1478f63746502afd8a8a156b80

249980 bytes

/var/tmp/ninfo

SHA256: 19778a62055770a9e5f890e52227ccd39251bf23045c15383411638540ceabf7

2941 bytes

/var/tmp/. /info

SHA256: dd14cae04ae1515b794dbfce857b1e7173ac8c89e766d02b9abf86dd7fd56f21

5216 bytes

/root/codemix/c

SHA256: 6005c3ae1042772e3ceec74d0b45874b23f0761256e1f0649af3628a158c0f84

1198 bytes

/root/codemix/sshd.filepart

SHA256: 17819c7c77c8e6fe46bee617c2d566de52ede346958e9b35c8f15f3d8b758197

1485768 bytes

/var/tmp/groot.zip

SHA256: 575a17bac99ab4077e2c9bcd01fbc14953827377972e414f669bfa8dbc030bae

724193 bytes

/var/tmp/gosh/1

SHA256: 246fcc88606c73771e9ccfed22be1ee97636f65156b1076db2e506e16e732db3

189 bytes

/root/mix/a

SHA256: da17993ede7ad50605fed2f06efa63f07e26c7ec55648315562ac9b5af665e93

423 bytes

/root/mix/brute

SHA256: 0058b89db361ce8dd1ab82184fc942fdac434876ce3e47eb29e1a8172c9fc984

1485768 bytes

/root/mix/pscan

SHA256: e9d04e290046a9ed81d60ed6f06d48de0cd4619b800aaeb8ca0a100adae1c5a1

12425 bytes

/root/mix/random

SHA256: 74f333eee0761f6d83137a5ab0e4bf9345ac6cbce216d49939ff8bef7a3e075d

232 bytes

/var/tmp/speed.py

SHA256: f98f21bc8d49fe2f9ad56cf0ea038ef47d68b74cf338d45c162caa3c50d497d6

49503 bytes

/root/mix/1

SHA256: 47ceea0cde8fe0fadd8056b5f38f18e7161d67744dc73cdb01722aa08be6edc0

71249 bytes

/root/k.py

SHA256: efd87bf5ab6260c49b5bb2dfa635585e1077013af0619b24af3984d64d10ee15

25045 bytes

/root/brute/lc

SHA256: 0c0c172814f3b9b77e46d2d3fd7aa844df6d3c73733ab8cfc49346a781bd54da

630 bytes

/root/groot.zip

SHA256: c01ca4672177c1ddf4abea69f2771151f1febe6bb4baf4b65143870ac0d1e5e9

39622 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 89.33.147.214​Previously Malicious