IP Address: 94.242.228.174Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
94.242.228.174​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker

Services Targeted

SSH

Tags

DNS Query HTTP Human Download File Outgoing Connection SSH Successful SSH Login Access Suspicious Domain Download Operation 5 Shell Commands

Connect Back Servers

xphkxaiz233pjoto.onion.link w4gfzjunvynjhpj6.onion.cab sp1.winchesterwireless.net edinburg.speedtest.shentel.net customcomputersva.com igxhhnue75hvk5yc.onion.link hukot.net stosat-rstn-01.sys.comcast.net gmpsfqrlquaokfl5.onion.cab shentel.net s1.speedtest.wdc1.us.leaseweb.net lmco62zvt7fnezd5.onion.to igxhhnue75hvk5yc.onion.to tqz3y4w3eq4wi2ay.onion.nu v69.16mb.com qcuifb2klqqkwc5q.onion.to www.speedtest.net lmco62zvt7fnezd5.onion.cab startdedicated.de stosat-malt-01.sys.comcast.net comcast.net

72.21.92.82 188.213.49.65 69.241.0.94 204.111.5.18 62.138.11.6 46.36.37.82 184.170.114.134 192.36.27.5 103.198.0.2 185.100.85.150 31.170.167.220 207.244.94.68 69.241.87.90

Basic Information

IP Address

94.242.228.174

Domain

-

ISP

root SA

Country

Luxembourg

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-06-22

Last seen in Guardicore Centra

2017-08-21

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List

Successful SSH Login

Process /usr/bin/wget attempted to access suspicious domains: v69.16mb.com

Access Suspicious Domain Outgoing Connection DNS Query

Process /usr/bin/wget generated outgoing network traffic to: 31.170.167.220:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access domains: s1.speedtest.wdc1.us.leaseweb.net, stosat-rstn-01.sys.comcast.net, www.speedtest.net, stosat-malt-01.sys.comcast.net and edinburg.speedtest.shentel.net

DNS Query

Process /usr/bin/python2.7 generated outgoing network traffic to: 69.241.0.94:80, 69.241.87.90:80, 207.244.94.68:80, 184.170.114.134:80, 204.111.5.18:80 and 72.21.92.82:80

Outgoing Connection

Process /usr/bin/python2.7 attempted to access suspicious domains: sp1.winchesterwireless.net and customcomputersva.com

Access Suspicious Domain Outgoing Connection DNS Query

/root/viteza.py was downloaded

Download File

Associated Files

/tmp/vpsinfo.sh

SHA256: dde264cc06ebaf2b3f1740c8505d76998b3d13d6828698bb6dd94e3db32c6dfa

3205 bytes

/root/viteza.py

SHA256: abee68840582cf5510821e6bcf863fb53315492a24220eb1db4dcc0f10a4575f

25233 bytes

/tmp/om2UDhJc

SHA256: 57a00d800debbc709a3c96ca2c04dad7011805bb983868c5e7dd8e1b4f2a2d64

4390176 bytes

/tmp/cqjzSiU73By

SHA256: e62105ab36579f0e55c397d63f757e6a4320e6c7713ccbdfff883e9f53ffdebf

4390176 bytes

/tmp/Om0whdoAsk

SHA256: 9671e0e757c98f22297ebb4a51fb49ef2ec60a2d52516e5d1368b8ffc1ea1675

4390176 bytes

/tmp/DFxVFwauOgIk

SHA256: 118bcc73f2b740392af9729382f348b5d85f497424f1523c3d14b1cc57d75985

4390176 bytes

/tmp/7QfhSNJBy7YKhA

SHA256: df35786bd27f358c0c87282561b83a627b0e2cc626c13c68a03b32dd76537662

4390176 bytes

/tmp/udAOHuaZAs0

SHA256: 7955da4d368434a2c5d2ae5b2ba86c8e546bf791f0fbb08891b4c776cf8a2253

4390176 bytes

/tmp/PPE7btu7fOrN

SHA256: 7d915f35c60fbe29055582c29b442dae9f8b99fdc0c5b8c1d629823e43dba66b

4390176 bytes

/tmp/wHO37MpqE

SHA256: 94c728e2a8e9d692737b1977e0ec54b3acac16747146676351725100a64ed48d

4390176 bytes

/tmp/3H60TZX9

SHA256: 134983c2246452ef13abd51a6bcb120e68e6f8f6d225e181d00b4fdfc7a40a25

4390176 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 94.242.228.174​Previously Malicious