IP Address: 104.248.85.104Previously Malicious
IP Address: 104.248.85.104Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
System File Modification Download Operation HTTP Outgoing Connection DNS Query SSH Brute Force Bulk Files Tampering Service Configuration Access Suspicious Domain Download and Execute Service Deletion Successful SSH Login 1 Shell Commands Service Creation SSH Download File Download and Allow Execution |
Associated Attack Servers |
54.37.79.0 91.189.88.142 91.189.91.39 104.21.6.184 104.21.54.231 172.67.143.32 172.67.155.44 |
IP Address |
104.248.85.104 |
|
Domain |
- |
|
ISP |
Digital Ocean |
|
Country |
Netherlands |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-08-04 |
Last seen in Akamai Guardicore Segmentation |
2021-12-14 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
A possibly malicious Download Operation was detected 2 times |
Download Operation |
Process /bin/bash attempted to access suspicious domains: tigan.cf |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /bin/bash generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
/tmp/sh was downloaded |
Download File |
Process /usr/local/bin/dash attempted to access suspicious domains: tigan.cf |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/local/bin/dash generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
/tmp/x86.keen.onion.1337 was downloaded |
Download File |
Process /usr/bin/wget attempted to access suspicious domains: tigan.cf 2 times |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
/tmp/mips.keen.onion.1337 was downloaded |
Download File |
Process /usr/bin/wget attempted to access suspicious domains: tigan.cf |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 104.21.54.231:80 |
Outgoing Connection |
/tmp/mpsl.keen.onion.1337 was downloaded |
Download File |
Process /usr/local/bin/dash attempted to access suspicious domains: tigan.cf |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/local/bin/dash generated outgoing network traffic to: 104.21.54.231:80 |
Outgoing Connection |
The file /tmp/arm.keen.onion.1337 was downloaded and granted execution privileges |
|
Process /usr/bin/wget generated outgoing network traffic to: 104.21.54.231:80 |
Outgoing Connection |
The file /tmp/arm6.keen.onion.1337 was downloaded and granted execution privileges |
Download and Allow Execution |
Process /usr/bin/wget attempted to access suspicious domains: tigan.cf 3 times |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 104.21.54.231:80 |
Outgoing Connection |
The file /tmp/arm7.keen.onion.1337 was downloaded and granted execution privileges |
|
Process /usr/bin/wget generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
The file /tmp/ppc.keen.onion.1337 was downloaded and granted execution privileges |
|
Process /usr/local/bin/dash attempted to access suspicious domains: tigan.cf 2 times |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/local/bin/dash generated outgoing network traffic to: 104.21.54.231:80 |
Outgoing Connection |
The file /tmp/m68k.keen.onion.1337 was downloaded and granted execution privileges |
Download and Allow Execution |
Process /usr/local/bin/dash attempted to access suspicious domains: tigan.cf |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/local/bin/dash generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
/tmp/root.keen.onion.1337 was downloaded |
Download File |
The file /tmp/SSH was downloaded and executed 2 times |
Download and Execute |
Process /usr/bin/wget attempted to access suspicious domains: tigan.cf 2 times |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 172.67.143.32:80 2 times |
Outgoing Connection |
/tmp/rtk.keen.onion.1337 was downloaded |
Download File |
Process /usr/bin/wget attempted to access suspicious domains: tigan.cf |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
/tmp/sh4.keen.onion.1337 was downloaded |
Download File |
Process /usr/local/bin/dash generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
The file /tmp/zte.keen.onion.1337 was downloaded and granted execution privileges |
|
Process /usr/bin/wget generated outgoing network traffic to: 104.21.54.231:80 |
Outgoing Connection |
The file /tmp/sh4.keen.onion.1337.1 was downloaded and granted execution privileges |
|
/tmp/random was downloaded |
Download File |
Process /usr/bin/wget attempted to access suspicious domains: tigan.cf 2 times |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
/tmp/pass.fnl was downloaded |
Download File |
Process /usr/bin/wget attempted to access suspicious domains: tigan.cf 3 times |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 172.67.143.32:80 3 times |
Outgoing Connection |
/tmp/go was downloaded |
Download File |
Process /usr/local/bin/dash generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
Process /usr/local/bin/dash attempted to access suspicious domains: tigan.cf |
DNS Query Access Suspicious Domain Outgoing Connection |
/tmp/class was downloaded |
Download File |
Process /usr/bin/wget generated outgoing network traffic to: 104.21.54.231:80 |
Outgoing Connection |
/tmp/bios.txt was downloaded |
Download File |
Process /usr/local/bin/dash attempted to access suspicious domains: tigan.cf |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/local/bin/dash generated outgoing network traffic to: 172.67.143.32:80 |
Outgoing Connection |
/tmp/banner.log was downloaded |
Download File |
/tmp/banner was downloaded |
Download File |
Process /usr/bin/apt attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com |
DNS Query |
Process /usr/bin/apt generated outgoing network traffic to: 91.189.88.142:80 |
Outgoing Connection |
System file /etc/init.d/screen-cleanup.dpkg-new was modified 16 times |
System File Modification |
The file /etc/init.d/screen-cleanup was downloaded and granted execution privileges |
|
The file /usr/bin/screen.dpkg-new was downloaded and granted execution privileges |
Download and Allow Execution |
The file /usr/share/screen was downloaded and granted execution privileges |
|
The file /usr/share/screen/utf8encodings was downloaded and granted execution privileges |
|
The file /usr/share/doc/screen was downloaded and granted execution privileges |
|
The file /usr/share/doc/screen/examples was downloaded and granted execution privileges |
|
The file /usr/share/doc/screen/terminfo was downloaded and granted execution privileges |
|
Service S02screen-cleanup was created |
Service Creation |
Service screen-cleanup was created |
Service Creation |
Service screen-cleanup.dpkg-new was created |
Service Creation |
System file /etc/shells.tmp was modified 16 times |
System File Modification |
System file /etc/init.d/.depend.boot was modified 4 times |
System File Modification |
System file /etc/init.d/.depend.start was modified 4 times |
System File Modification |
System file /etc/init.d/.depend.stop was modified 4 times |
System File Modification |
The file /tmp/banner was downloaded and granted execution privileges |
|
The file /tmp/banner.log was downloaded and granted execution privileges |
|
The file /tmp/bios.txt was downloaded and granted execution privileges |
|
The file /tmp/class was downloaded and granted execution privileges |
|
The file /tmp/go was downloaded and granted execution privileges |
|
The file /tmp/haiduc was downloaded and granted execution privileges |
Download and Allow Execution |
The file /tmp/pass.fnl was downloaded and granted execution privileges |
|
The file /tmp/random was downloaded and granted execution privileges |
|
Connection was closed due to timeout |
|
Process /usr/bin/dpkg performed bulk changes in {/usr/share} on 40 files |
Bulk Files Tampering |