IP Address: 113.142.72.105Previously Malicious
IP Address: 113.142.72.105Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation Successful SSH Login Download and Execute Download and Allow Execution |
Associated Attack Servers |
12.94.221.125 13.124.116.69 14.35.205.157 14.214.101.12 16.148.203.151 16.171.87.208 24.101.57.13 28.3.105.27 34.4.233.1 34.27.56.63 44.237.228.191 45.33.34.250 51.65.226.111 59.110.218.152 60.40.51.24 70.71.211.92 73.72.89.212 80.101.148.39 81.70.208.164 82.149.112.170 86.205.247.234 93.79.172.105 96.166.46.66 101.34.24.6 101.59.45.132 106.52.197.187 108.172.198.95 117.50.179.5 120.31.7.183 |
IP Address |
113.142.72.105 |
|
Domain |
- |
|
ISP |
China Telecom SHAANXI |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-07-04 |
Last seen in Akamai Guardicore Segmentation |
2022-03-29 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 202 times |
Download and Execute |
Process /root/apache2 scanned port 22 on 11 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 80 on 11 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 11 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 generated outgoing network traffic to: 103.141.246.254:1234, 104.21.25.86:443, 111.33.167.146:22, 117.201.243.94:2222, 123.6.17.120:80, 123.6.17.120:8080, 130.71.222.71:80, 130.71.222.71:8080, 135.252.245.203:80, 135.252.245.203:8080, 136.250.17.122:80, 136.250.17.122:8080, 142.251.32.4:443, 149.71.3.222:80, 149.71.3.222:8080, 150.158.45.127:1234, 151.84.89.90:1234, 157.203.217.40:22, 158.131.194.29:22, 159.223.142.108:80, 159.223.142.108:8080, 17.142.123.222:80, 17.142.123.222:8080, 171.190.157.94:22, 189.188.72.175:80, 189.188.72.175:8080, 199.207.38.190:80, 199.207.38.190:8080, 212.137.13.51:80, 212.137.13.51:8080, 218.146.15.97:1234, 22.155.206.250:80, 22.155.206.250:8080, 220.104.199.98:22, 222.198.240.141:80, 222.198.240.141:8080, 240.61.74.165:80, 240.61.74.165:8080, 243.177.69.40:80, 243.177.69.40:8080, 245.63.208.12:80, 245.63.208.12:8080, 246.23.41.212:80, 246.23.41.212:8080, 246.41.96.10:80, 246.41.96.10:8080, 25.32.190.178:2222, 27.203.252.151:80, 27.203.252.151:8080, 31.221.250.70:22, 4.112.234.16:80, 4.112.234.16:8080, 40.61.76.55:80, 40.61.76.55:8080, 42.21.182.208:80, 42.21.182.208:8080, 42.231.29.38:1234, 46.58.37.86:2222, 48.165.28.7:80, 48.165.28.7:8080, 50.18.211.78:2222, 51.104.139.240:80, 51.104.139.240:8080, 51.75.146.174:443, 52.20.2.134:80, 52.20.2.134:8080, 54.92.33.253:22, 55.207.202.241:22, 58.229.125.66:1234, 60.19.179.98:80, 60.19.179.98:8080, 62.56.89.214:80, 62.56.89.214:8080, 72.192.156.191:80, 72.192.156.191:8080, 73.183.8.219:80, 73.183.8.219:8080, 74.160.98.102:2222, 81.229.248.67:80, 81.229.248.67:8080, 81.70.21.147:1234, 83.164.205.158:80, 83.164.205.158:8080, 84.235.95.37:22, 86.111.225.101:80, 86.111.225.101:8080, 90.52.48.183:80, 90.52.48.183:8080 and 91.25.119.43:22 |
Outgoing Connection |
Process /root/apache2 attempted to access suspicious domains: adsl |
Access Suspicious Domain Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8086 and 8182 |
Listening |
Process /root/apache2 scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
The file /usr/local/bin/dash was downloaded and executed 2 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 6 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 35 times |
Download and Execute |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 4 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 10 times |
Download and Execute |
Connection was closed due to timeout |
|