IP Address: 116.30.120.127Previously Malicious
IP Address: 116.30.120.127Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
7.134.44.151 30.40.107.137 41.231.127.5 46.106.110.97 52.131.32.110 58.33.13.154 80.227.75.144 81.68.166.127 82.157.139.183 85.56.170.229 110.46.139.209 120.53.123.221 135.181.104.81 136.94.210.57 147.140.58.80 162.146.244.37 167.68.57.3 180.231.228.14 192.21.248.240 192.130.181.154 220.15.123.83 220.34.244.215 |
IP Address |
116.30.120.127 |
|
Domain |
- |
|
ISP |
China Telecom Guangdong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-14 |
Last seen in Akamai Guardicore Segmentation |
2022-04-16 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 104.21.25.86:443, 105.203.205.85:80, 105.203.205.85:8080, 110.46.139.209:22, 111.223.35.84:80, 111.223.35.84:8080, 112.13.114.141:80, 112.13.114.141:8080, 119.213.220.137:80, 119.213.220.137:8080, 120.53.123.221:1234, 131.147.61.38:80, 131.147.61.38:8080, 134.9.9.127:80, 134.9.9.127:8080, 135.181.104.81:1234, 136.94.210.57:22, 138.204.240.56:80, 138.204.240.56:8080, 142.250.191.228:443, 147.140.58.80:22, 151.223.69.132:80, 151.223.69.132:8080, 154.161.107.151:80, 154.161.107.151:8080, 162.146.244.37:22, 166.121.175.135:80, 166.121.175.135:8080, 167.139.187.9:80, 167.139.187.9:8080, 167.68.57.3:2222, 172.67.133.228:443, 180.231.228.14:2222, 181.83.181.138:80, 181.83.181.138:8080, 182.208.52.40:80, 182.208.52.40:8080, 185.136.250.203:80, 185.136.250.203:8080, 192.130.181.154:2222, 192.21.248.240:2222, 194.186.1.74:80, 194.186.1.74:8080, 203.198.253.176:80, 203.198.253.176:8080, 207.68.38.58:80, 207.68.38.58:8080, 209.229.63.202:80, 209.229.63.202:8080, 211.60.138.130:80, 211.60.138.130:8080, 220.15.123.83:2222, 220.157.33.127:80, 220.157.33.127:8080, 220.34.244.215:22, 245.68.21.83:80, 245.68.21.83:8080, 25.196.121.30:80, 25.196.121.30:8080, 251.43.183.68:80, 251.43.183.68:8080, 29.124.89.164:80, 29.124.89.164:8080, 30.40.107.137:2222, 41.215.109.217:80, 41.215.109.217:8080, 41.231.127.5:1234, 46.106.110.97:2222, 52.131.32.110:1234, 58.33.13.154:1234, 60.243.120.160:80, 60.243.120.160:8080, 7.134.44.151:22, 70.161.4.56:80, 70.161.4.56:8080, 80.152.196.141:80, 80.152.196.141:8080, 80.156.206.176:80, 80.156.206.176:8080, 80.223.97.147:80, 80.223.97.147:8080, 80.227.75.144:22, 81.205.210.194:80, 81.205.210.194:8080, 81.68.166.127:1234, 82.157.139.183:1234, 84.195.103.181:80, 84.195.103.181:8080 and 85.56.170.229:22 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8085 and 8188 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 attempted to access suspicious domains: bbtec.net |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|