IP Address: 113.116.5.233Previously Malicious
IP Address: 113.116.5.233Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
5.6.208.183 35.89.101.91 60.53.193.216 60.216.64.190 88.67.131.152 103.152.118.20 117.80.212.33 117.243.29.36 124.222.239.192 150.12.240.66 170.107.209.96 186.33.213.175 |
IP Address |
113.116.5.233 |
|
Domain |
- |
|
ISP |
China Telecom Guangdong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-27 |
Last seen in Akamai Guardicore Segmentation |
2022-03-29 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
./ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 205 times |
Download and Execute |
Process /root/ifconfig started listening on ports: 1234, 8083 and 8188 |
Listening |
Process /root/ifconfig generated outgoing network traffic to: 101.43.58.33:80, 101.43.58.33:8080, 104.126.200.32:80, 104.126.200.32:8080, 104.21.25.86:443, 110.225.8.61:80, 110.225.8.61:8080, 117.144.116.70:2222, 117.22.92.101:2222, 117.54.14.169:1234, 118.249.131.53:80, 118.249.131.53:8080, 118.9.247.97:2222, 12.20.49.76:80, 12.20.49.76:8080, 120.136.134.153:1234, 122.229.143.129:80, 122.229.143.129:8080, 132.114.163.65:80, 132.114.163.65:8080, 134.151.82.83:80, 134.151.82.83:8080, 134.4.110.208:80, 134.4.110.208:8080, 135.244.173.148:80, 135.244.173.148:8080, 136.210.163.215:80, 136.210.163.215:8080, 14.98.252.201:22, 140.168.177.184:22, 147.62.65.186:22, 152.65.62.24:80, 152.65.62.24:8080, 153.167.127.153:2222, 16.30.46.43:80, 16.30.46.43:8080, 165.107.239.139:80, 165.107.239.139:8080, 172.67.133.228:443, 178.251.208.250:80, 178.251.208.250:8080, 181.32.54.33:2222, 183.168.219.1:80, 183.168.219.1:8080, 189.237.159.167:22, 190.124.140.142:80, 190.124.140.142:8080, 194.129.75.160:2222, 194.88.130.55:2222, 195.238.79.165:80, 195.238.79.165:8080, 198.125.116.199:80, 198.125.116.199:8080, 2.146.243.36:2222, 2.207.62.137:2222, 211.85.55.94:2222, 251.40.237.68:80, 251.40.237.68:8080, 31.19.237.170:1234, 35.134.71.66:80, 35.134.71.66:8080, 36.235.225.14:80, 36.235.225.14:8080, 46.236.89.209:80, 46.236.89.209:8080, 47.93.228.251:1234, 51.75.146.174:443, 56.67.112.44:80, 56.67.112.44:8080, 63.160.172.161:80, 63.160.172.161:8080, 66.87.185.224:22, 70.175.132.200:80, 70.175.132.200:8080, 70.66.142.34:22, 72.110.87.79:80, 72.110.87.79:8080, 72.226.58.76:80, 72.226.58.76:8080, 8.149.40.123:80, 8.149.40.123:8080, 89.212.123.191:1234, 9.143.104.188:80, 9.143.104.188:8080, 90.143.169.30:80, 90.143.169.30:8080, 91.201.214.184:1234, 95.202.237.30:80 and 95.202.237.30:8080 |
Outgoing Connection |
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig attempted to access suspicious domains: 14-tataidc.co.in, dsnet, kabel-deutschland.de, prod-infinitum.com.mx, spcsdns.net and t-2.net |
Access Suspicious Domain Outgoing Connection |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 2222 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
The file /root/php-fpm was downloaded and executed 33 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 24 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 6 times |
Download and Execute |
Connection was closed due to timeout |
|