IP Address: 103.174.114.217Previously Malicious
IP Address: 103.174.114.217Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
2com.net airtel.in attdns.com bigleaf.net btcentralplus.com cloudhost.asia herza.id iijmobile.jp internetia.net.pl kbtelecom.net mobtelecom.com.br movistar.cl online.tj.cn ovo.sc pikara.ne.jp qwerty.ru t-com.ne.jp telenet.be tpnet.pl veloxzone.com.br 1.14.166.163 3.91.21.110 3.110.236.209 3.129.104.32 8.119.109.83 11.22.219.240 11.90.125.222 11.106.114.29 12.81.149.230 13.66.15.9 14.82.231.16 16.76.208.10 16.235.240.142 18.212.180.57 19.3.182.210 20.18.108.42 20.51.115.180 20.58.184.140 20.82.195.11 21.44.112.71 24.83.199.240 24.164.138.87 26.214.13.233 27.12.253.112 27.129.128.235 27.185.158.94 31.196.77.27 33.129.239.13 35.170.191.119 36.77.94.79 |
IP Address |
103.174.114.217 |
|
Domain |
- |
|
ISP |
- |
|
Country |
- |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-03 |
Last seen in Akamai Guardicore Segmentation |
2022-04-29 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 205 times |
Download and Execute |
Process /tmp/ifconfig scanned port 22 on 11 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 11 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 11 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig started listening on ports: 1234, 8080 and 8183 |
Listening |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 106.174.246.179:22, 106.55.188.60:1234, 119.175.119.65:80, 119.175.119.65:8080, 120.136.134.153:1234, 122.175.36.19:80, 122.175.36.19:8080, 122.48.130.151:2222, 123.132.150.52:22, 125.241.124.199:80, 125.241.124.199:8080, 126.134.61.106:80, 126.134.61.106:8080, 132.226.241.121:1234, 145.35.210.179:80, 145.35.210.179:8080, 151.196.11.52:2222, 152.136.216.29:1234, 157.213.142.219:22, 158.163.90.170:22, 158.209.165.69:80, 158.209.165.69:8080, 162.190.252.68:80, 162.190.252.68:8080, 164.128.235.66:22, 171.202.22.31:80, 171.202.22.31:8080, 172.105.162.113:1234, 174.234.201.88:80, 174.234.201.88:8080, 18.44.154.241:80, 18.44.154.241:8080, 185.120.148.59:22, 191.156.29.89:2222, 20.250.188.223:80, 20.250.188.223:8080, 21.253.251.108:80, 21.253.251.108:8080, 219.240.89.71:22, 220.136.80.89:80, 220.136.80.89:8080, 222.51.20.107:80, 222.51.20.107:8080, 222.68.66.157:80, 222.68.66.157:8080, 223.149.53.205:2222, 23.62.94.175:2222, 240.176.151.54:80, 240.176.151.54:8080, 244.115.239.29:2222, 250.68.211.14:80, 250.68.211.14:8080, 251.221.181.167:80, 251.221.181.167:8080, 27.21.22.225:22, 3.184.208.151:80, 3.184.208.151:8080, 31.214.205.100:80, 31.214.205.100:8080, 34.44.191.95:2222, 39.175.68.100:1234, 4.128.225.126:80, 4.128.225.126:8080, 42.160.66.101:22, 50.100.35.202:22, 54.34.97.71:80, 54.34.97.71:8080, 63.159.79.225:80, 63.159.79.225:8080, 64.219.100.61:80, 64.219.100.61:8080, 70.20.60.168:80, 70.20.60.168:8080, 73.14.212.25:2222, 8.146.242.139:80, 8.146.242.139:8080, 8.169.143.107:80, 8.169.143.107:8080, 80.206.3.209:80, 80.206.3.209:8080, 82.155.14.62:80, 82.155.14.62:8080, 9.236.89.182:80, 9.236.89.182:8080, 97.130.76.19:80, 97.130.76.19:8080, 98.246.8.13:80 and 98.246.8.13:8080 |
Outgoing Connection |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig attempted to access suspicious domains: dsnet and linodeusercontent.com |
Access Suspicious Domain Outgoing Connection |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 23 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 4 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 20 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and granted execution privileges |
Download and Allow Execution |
Connection was closed due to timeout |
|