IP Address: 116.49.27.9Previously Malicious
IP Address: 116.49.27.9Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
3.88.102.208 3.110.236.209 9.159.100.186 26.188.60.188 39.193.52.130 50.101.203.230 51.160.84.220 55.106.238.51 62.197.87.40 71.33.181.251 93.170.92.174 101.42.101.141 101.42.108.123 101.43.170.250 138.21.75.125 139.148.26.70 147.33.149.214 156.159.117.57 167.205.109.145 184.127.11.104 203.152.84.158 223.228.15.174 247.151.62.148 |
IP Address |
116.49.27.9 |
|
Domain |
- |
|
ISP |
Netvigator |
|
Country |
Hong Kong |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-20 |
Last seen in Akamai Guardicore Segmentation |
2022-04-21 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 101.142.215.217:80, 101.142.215.217:8080, 101.42.101.141:1234, 101.42.108.123:1234, 101.43.170.250:1234, 101.45.20.168:80, 101.45.20.168:8080, 107.56.185.38:80, 107.56.185.38:8080, 115.126.253.111:80, 115.126.253.111:8080, 120.250.117.129:80, 120.250.117.129:8080, 138.21.75.125:22, 139.148.26.70:1234, 139.189.151.6:80, 139.189.151.6:8080, 14.171.61.245:80, 14.171.61.245:8080, 147.33.149.214:2222, 150.97.122.184:80, 150.97.122.184:8080, 156.159.117.57:2222, 160.21.231.227:80, 160.21.231.227:8080, 167.205.109.145:2222, 167.32.72.82:80, 167.32.72.82:8080, 171.220.152.213:80, 171.220.152.213:8080, 176.146.161.151:80, 176.146.161.151:8080, 178.151.191.40:80, 178.151.191.40:8080, 178.178.210.184:80, 178.178.210.184:8080, 184.127.11.104:22, 192.173.218.28:80, 192.173.218.28:8080, 20.75.207.172:80, 20.75.207.172:8080, 203.152.84.158:1234, 214.7.92.168:80, 214.7.92.168:8080, 222.128.180.14:80, 222.128.180.14:8080, 223.228.15.174:2222, 244.215.70.165:80, 244.215.70.165:8080, 247.151.62.148:22, 26.188.60.188:2222, 3.110.236.209:1234, 3.88.102.208:22, 32.141.139.243:80, 32.141.139.243:8080, 32.65.133.5:80, 32.65.133.5:8080, 37.236.114.154:80, 37.236.114.154:8080, 37.82.252.228:80, 37.82.252.228:8080, 39.193.52.130:22, 39.193.52.130:2222, 41.223.1.76:80, 41.223.1.76:8080, 46.140.44.79:80, 46.140.44.79:8080, 50.101.203.230:2222, 51.160.84.220:2222, 54.38.188.38:1234, 55.106.238.51:22, 62.197.87.40:2222, 69.166.119.102:80, 69.166.119.102:8080, 70.32.208.92:80, 70.32.208.92:8080, 71.33.181.251:22, 73.111.21.70:80, 73.111.21.70:8080, 77.51.70.107:80, 77.51.70.107:8080, 85.200.197.62:80, 85.200.197.62:8080, 87.44.60.53:80, 87.44.60.53:8080, 88.51.100.50:80, 88.51.100.50:8080 and 9.159.100.186:22 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8084 and 8183 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: qwest.net and voo.be |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|