IP Address: 110.40.154.116Previously Malicious
IP Address: 110.40.154.116Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
ae2am1.shop aeza.network az1am5.shop mycingular.net 11.103.68.79 12.23.46.220 30.113.205.105 36.75.66.175 45.142.122.215 74.13.153.246 100.29.54.165 101.34.24.6 102.8.12.188 106.75.109.253 107.229.224.19 117.50.179.71 118.89.33.189 120.53.123.221 146.56.115.54 165.227.94.198 185.184.45.238 207.173.42.170 208.131.218.230 |
IP Address |
110.40.154.116 |
|
Domain |
- |
|
ISP |
Beijing Yunlin Network Technology Co.,Ltd. |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-04 |
Last seen in Akamai Guardicore Segmentation |
2022-04-11 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 204 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 102.5.181.145:80, 102.7.217.78:80, 102.7.217.78:8080, 104.21.25.86:443, 105.225.204.42:1234, 107.222.36.42:80, 119.79.85.176:80, 119.79.85.176:8080, 123.180.150.170:1234, 126.230.5.90:80, 130.237.218.220:80, 130.237.218.220:8080, 142.250.191.228:443, 150.158.45.127:1234, 152.32.174.108:1234, 152.32.174.108:22, 158.74.244.242:80, 163.41.13.56:80, 165.197.42.73:80, 165.197.42.73:8080, 17.174.225.199:80, 176.17.249.196:80, 179.225.207.162:80, 182.93.208.176:80, 184.144.144.191:80, 184.144.144.191:8080, 200.108.241.79:80, 201.76.199.137:80, 212.78.166.140:1234, 216.127.229.83:80, 216.127.229.83:8080, 220.252.180.81:80, 220.252.180.81:8080, 223.251.147.207:80, 223.251.147.207:8080, 246.25.196.12:80, 248.31.101.129:80, 32.213.68.203:80, 35.202.208.100:80, 35.202.208.100:8080, 41.209.36.166:80, 41.209.36.166:8080, 51.75.146.174:443, 54.176.38.201:80, 54.176.38.201:8080, 56.119.72.140:80, 68.82.105.17:80, 71.15.106.235:80, 73.57.186.7:80, 8.8.8.8:443, 82.140.61.214:80, 82.211.38.163:80 and 99.49.180.114:80 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8081 and 8185 |
Listening |
The file /tmp/php-fpm was downloaded and executed 23 times |
Download and Execute |
Process /tmp/php-fpm generated outgoing network traffic to: 152.32.174.108:22 |
Outgoing Connection |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 11 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 11 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig attempted to access suspicious domains: telkomsa.net |
Access Suspicious Domain Outgoing Connection |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 36 times |
Download and Execute |
Connection was closed due to timeout |
|