Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 93.38.120.154Previously Malicious

IP Address: 93.38.120.154Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SCP

Tags

Successful SSH Login Executable File Modification Scheduled Task Creation SCP System File Modification IDS - A Network Trojan was detected Listening 42 Shell Commands Access Suspicious Domain Service Configuration Download File Outgoing Connection Download and Execute SSH

Associated Attack Servers

ip-139-99-62.net ip-139-99-68.net ip-147-135-37.us

37.59.43.131 37.59.54.205 51.81.245.40 88.99.193.240 94.130.164.163 94.130.165.85 139.99.62.196 139.99.68.128 147.135.37.31 158.69.25.62 158.69.25.71 158.69.25.77

Basic Information

IP Address

93.38.120.154

Domain

-

ISP

Fastweb

Country

Italy

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2020-11-02

Last seen in Akamai Guardicore Segmentation

2020-11-03

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

/bin/0jhrhwz0fle83nfe2x25uf3br9 was downloaded

Download File

Executable file /bin/0jhrhwz0fle83nfe2x25uf3br9 was modified

Executable File Modification

IDS detected A Network Trojan was detected : DNS request for Monero mining pool

IDS - A Network Trojan was detected

The file /bin/dhpcd was downloaded and executed 17 times

Download and Execute

Process /bin/dhpcd generated outgoing network traffic to: 139.99.62.196:4444, 147.135.37.31:4444, 158.69.25.77:4444, 37.59.54.205:4444, 88.99.193.240:4444 and 94.130.165.85:4444

Outgoing Connection

Process /bin/dhpcd attempted to access suspicious domains: ip-139-99-62.net, ip-147-135-37.us, ip-158-69-25.net and ip-37-59-54.eu

Access Suspicious Domain Outgoing Connection

System file /etc/shadow was modified 9 times

System File Modification

/dev/shm/0jhrhwz0fle83nfe2x25uf3br9 was downloaded

Download File

/dev/shm/knrm was downloaded

Download File

/dev/shm/r was downloaded

Download File

System file /etc/sedwLNHtG was modified 9 times

System File Modification

Process /bin/dhpcd generated outgoing network traffic to: 158.69.25.77:4444

Outgoing Connection

Process /bin/dhpcd attempted to access suspicious domains: ip-158-69-25.net

Access Suspicious Domain Outgoing Connection

/etc/rc.d/rc.local was downloaded

Download File

/etc/rc.local was downloaded 2 times

Download File

/etc/rc.local was downloaded

Download File

System file /etc/rc.local was modified 4 times

System File Modification

Process /usr/sbin/sshd started listening on ports: 22

Listening

Connection was closed due to timeout