IP Address: 94.174.13.254Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
94.174.13.254​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SSH

Tags

Successful SSH Login Human Download and Allow Execution Download and Execute Access Suspicious Domain User Created 34 Shell Commands DNS Query Port 80 Scan SSH Download Operation HTTP Download File

Associated Attack Servers

www.speedtest.net diicot.altervista.org warnings.16mb.com speedtest31.suddenlink.net h4eteam.16mb.com rockymount.speedtest.centurylink.net rdu.ookla.gfsvc.com archive.ubuntu.com ssquad.3x.ro rdu.speedtest.sbcglobal.net cybernetik.000webhostapp.com zpnr1.000webhostapp.com canonical.com speed.celito.net cybernetik.3x.ro github.com _http._tcp.archive.ubuntu.com kekhost.com

31.170.164.55 145.14.144.140 52.174.52.111 91.189.88.149 145.14.145.44 145.14.144.114 192.30.253.112

Basic Information

IP Address

94.174.13.254

Domain

-

ISP

Virgin Media

Country

United Kingdom

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2018-03-25

Last seen in Guardicore Centra

2018-08-12

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget generated outgoing network traffic to: 185.28.20.96:80

Process /usr/bin/python2.7 scanned port 80 on 18 IP Addresses

Port 80 Scan

Process /usr/bin/wget scanned port 80 on 18 IP Addresses 15 times

Port 80 Scan

Process /usr/bin/wget attempted to access suspicious domains: warnings.16mb.com

DNS Query Access Suspicious Domain

/root/v.py was downloaded

Download File

Process /usr/bin/python2.7 attempted to access domains: rockymount.speedtest.centurylink.net, www.speedtest.net, speedtest31.suddenlink.net and rdu.speedtest.sbcglobal.net

DNS Query

Process /usr/bin/python2.7 generated outgoing network traffic to: sbcglobal.net:80, centurylink.net:80, suddenlink.net:80, 136.42.34.74:80, 72.21.92.82:80, celito.net:80 and 136.42.34.75:80

Process /usr/bin/python2.7 attempted to access suspicious domains: rdu.ookla.gfsvc.com and speed.celito.net

DNS Query Access Suspicious Domain

User packer was created with the password ****** and logged in using SSH

Successful SSH Login User Created

A user logged in using SSH with the following credentials: packer / ****** - Authentication policy: Correct Password

Successful SSH Login

Process /usr/bin/wget attempted to access domains: diicot.altervista.org

DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 104.28.27.101:80

Process /usr/bin/wget attempted to access domains: cybernetik.000webhostapp.com 11 times

DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.213:80 2 times

The file /home/packer/h4epack was downloaded and granted execution privileges

Download and Allow Execution

The file /home/packer/lupu was downloaded and granted execution privileges

Download and Allow Execution

Process /usr/bin/wget generated outgoing network traffic to: 145.14.145.115:80 2 times

Process /usr/bin/wget generated outgoing network traffic to: 145.14.144.78:80

Process /usr/bin/wget generated outgoing network traffic to: 145.14.144.200:80 2 times

Process /usr/bin/wget generated outgoing network traffic to: 145.14.144.224:80 2 times

Process /usr/bin/wget generated outgoing network traffic to: 145.14.144.90:80

Process /usr/bin/wget generated outgoing network traffic to: 145.14.144.21:80

The file /home/packer/port was downloaded and granted execution privileges

Download and Allow Execution

A user logged in using SSH with the following credentials: root / **** - Authentication policy: Correct Password

Successful SSH Login

Process /usr/bin/wget attempted to access suspicious domains: cybernetik.3x.ro

DNS Query Access Suspicious Domain

Process /usr/bin/wget generated outgoing network traffic to: 3x.ro:80

/root/gosh.zip was downloaded 2 times

Download File

Process /usr/bin/wget attempted to access suspicious domains: h4eteam.16mb.com

DNS Query Access Suspicious Domain

Process /usr/bin/wget generated outgoing network traffic to: 31.170.164.55:80

The file /root/gosh/1 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/2 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/3 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/4 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/5 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/a was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/common was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/gen-pass.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/go.sh was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/mfu.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/pass_file was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/pscan2 was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/rand was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/scam was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/secure was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/ssh-scan was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/vuln.txt was downloaded and granted execution privileges

Download and Allow Execution

The file /root/gosh/ss was downloaded and executed 4 times

Download and Execute

Associated Files

/tmp/vsftpd.config.xQbFLj

SHA256: 7a8a9b63aa4167c6727518a8dd6f6b39908ab5262505108a79499f207b9c1c3e

149 bytes

/var/tmp/lupu

SHA256: 0ce038006acc7627b2351669ebe83e031f792727dd75e6e374c3d8202931e313

1251 bytes

/root/2

SHA256: fb9993b41bcb466f430858908d63c638bfaaaa238ba4b9d0afdc6f53b2ca7f03

72358 bytes

/var/tmp/x/conftest

SHA256: b96ba938066f5ecd2b2fe0771c4295ce41b8aa35dc19278419ccf7c81064cf1f

10912 bytes

/root/zz/.git/config.lock

SHA256: 3fcc3a7ff5b8273d86f9cff108bb48a7449601f70a4a4d0e19d89411aa812f85

36 bytes

/root/DDoS-Scripts/SSYN2.c

SHA256: eed597bc3c456e2947f95cc7c42802f52563c1d7d9d3b3f5acf153df71c52483

13719 bytes

/root/DDoS-Scripts/SUDP.c

SHA256: e4fc70739f44a80130f23fa9ec7d2a61846b36fbf524e672ee0d1dca03642b02

4188 bytes

/root/DDoS-Scripts/SUDP2.c

SHA256: 353d477a5268751833f4abce995987c612b62d55c10c880d7e17b9c0a94dfa69

5418 bytes

/root/DDoS-Scripts/ssyn

SHA256: 6ebe6701056ad5ad3820f4df74d29881fce2fbd7e7cce9bec63705f69d2d48aa

18320 bytes

/root/layer7.zip

SHA256: 489e5c63daf7a56ff3992c2fab2345cbdba196ed764d8878ffb653fe041466ab

102370 bytes

/root/layer7/layer7.py

SHA256: 9670dbe807cd09af8525e1aaae873429f238b7eef5d5cf545adc0afa68570984

19257 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 94.174.13.254​Previously Malicious