IP Address: 115.236.75.242Previously Malicious
IP Address: 115.236.75.242Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH SCP Superuser Operation Successful SSH Login Download and Execute Download File |
Associated Attack Servers |
eastcork.net qwest.net ukservers.com 69.85.232.33 71.223.82.83 91.198.244.214 95.154.21.210 118.41.204.72 120.224.34.31 123.132.238.210 142.44.160.173 147.182.233.56 178.159.1.86 196.68.227.87 206.189.25.255 209.216.177.158 218.23.236.23 218.146.15.97 |
IP Address |
115.236.75.242 |
|
Domain |
- |
|
ISP |
China Telecom Zhejiang |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2019-11-10 |
Last seen in Akamai Guardicore Segmentation |
2022-09-15 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 12 times |
Successful SSH Login |
./ifconfig was downloaded |
Download File |
/var/tmp/ifconfig was downloaded 2 times |
Download File |
A possibly malicious Superuser Operation was detected 4 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
Process /root/ifconfig scanned port 1234 on 29 IP Addresses |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 29 IP Addresses |
Port 1234 Scan |
Process /etc/apache2 scanned port 1234 on 29 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 80 on 29 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 8080 on 29 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 1234 on 20 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /bin/bash scanned port 1234 on 29 IP Addresses 2 times |
Port 1234 Scan |
The file /root/apache2 was downloaded and executed 6 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 101.42.90.177:1234, 161.35.79.199:1234 and 80.147.162.151:1234 |
|
Process /root/ifconfig started listening on ports: 1234, 8088 and 8188 |
Listening |
System file /etc/apache2 was modified 4 times |
System File Modification |
The file /etc/ifconfig was downloaded and executed 5 times |
Download and Execute |
Process /etc/apache2 generated outgoing network traffic to: 1.220.98.197:1234, 100.218.231.132:80, 100.218.231.132:8080, 103.152.118.20:1234, 110.156.202.158:80, 110.156.202.158:8080, 111.53.11.130:1234, 118.219.217.134:80, 118.219.217.134:8080, 120.224.34.31:1234, 120.236.79.182:1234, 120.31.133.162:1234, 124.223.14.100:1234, 125.154.63.232:80, 132.188.211.106:80, 132.188.211.106:8080, 134.121.54.216:80, 134.121.54.216:8080, 137.30.228.68:80, 142.250.190.68:443, 148.215.94.242:80, 15.151.5.193:80, 15.151.5.193:8080, 155.200.239.213:80, 155.200.239.213:8080, 158.219.73.67:80, 171.141.178.168:80, 171.141.178.168:8080, 172.67.133.228:443, 173.18.35.41:1234, 175.163.181.155:80, 175.163.181.155:8080, 182.110.67.49:80, 182.110.67.49:8080, 184.233.195.133:80, 184.233.195.133:8080, 184.83.112.246:1234, 185.210.144.122:1234, 19.198.197.96:80, 19.198.197.96:8080, 190.12.120.30:1234, 190.138.240.233:1234, 194.193.120.146:80, 194.193.120.146:8080, 194.220.204.83:80, 194.220.204.83:8080, 202.61.203.229:1234, 204.33.112.192:80, 206.189.25.255:1234, 210.242.108.212:80, 210.242.108.212:8080, 211.53.58.74:80, 211.53.58.74:8080, 222.100.124.62:1234, 222.121.63.87:1234, 222.172.189.178:80, 223.171.91.160:1234, 248.20.12.233:80, 250.182.87.32:80, 250.182.87.32:8080, 28.145.128.201:80, 39.165.64.154:80, 39.165.64.154:8080, 39.205.51.13:80, 4.192.136.212:80, 4.192.136.212:8080, 43.242.247.139:1234, 46.13.164.29:1234, 51.75.146.174:443, 61.150.236.216:80, 61.150.236.216:8080, 72.178.173.218:80, 82.149.112.170:1234, 82.66.5.84:1234, 82.76.175.115:80, 84.204.148.99:1234, 85.105.82.39:1234, 86.133.233.66:1234 and 92.225.203.83:80 |
Outgoing Connection |
Process /etc/apache2 started listening on ports: 1234, 8086 and 8184 |
Listening |
The file /etc/apache2 was downloaded and executed 111 times |
Download and Execute |
Process /etc/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 80 on 20 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/apache2 scanned port 8080 on 20 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 376f8f665f43984bf5aa16524421600b638fc1a7b331e8ac78b60a387fcf8dbb |
2621440 bytes |
/var/tmp/ifconfig |
SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05 |
655360 bytes |
/var/tmp/ifconfig |
SHA256: 63ce5e408bc30df5efb4e48cb2e893e84b58da0ea31d834ce11db915f0dfaba2 |
32768 bytes |
/var/tmp/ifconfig |
SHA256: 6ee5b0eadb32669e495a5d4157119d3a8248235f0b3e21084070fb6bb45ca89e |
950272 bytes |
/var/tmp/ifconfig |
SHA256: 8a80c7f19c03dc2a33a1f698b2bf2acf83fb6fd9f7c78a3a66541327a8bf62d4 |
425984 bytes |
/var/tmp/ifconfig |
SHA256: c04b32a7c24533bc14fdd18b6cff3756d284640b23569d19c8e268ece7666b43 |
1540096 bytes |