IP Address: 117.132.183.17Previously Malicious
IP Address: 117.132.183.17Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH SCP Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute Download File |
Associated Attack Servers |
26.31.56.68 34.76.71.135 54.137.240.38 64.44.212.79 70.149.125.120 75.33.78.22 124.223.14.100 125.161.27.96 134.35.83.17 152.242.43.89 158.83.109.41 181.199.26.237 183.32.58.188 209.216.177.158 212.192.40.253 252.218.33.48 |
IP Address |
117.132.183.17 |
|
Domain |
- |
|
ISP |
China Mobile Guangdong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-09-02 |
Last seen in Akamai Guardicore Segmentation |
2022-09-06 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/nc.openbsd scanned port 1234 on 19 IP Addresses |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 19 IP Addresses |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 19 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /root/apache2 scanned port 80 on 19 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /root/apache2 scanned port 1234 on 58 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /bin/nc.openbsd scanned port 1234 on 19 IP Addresses |
Port 1234 Scan |
Process /tmp/apache2 scanned port 1234 on 19 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /tmp/apache2 scanned port 80 on 19 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /tmp/apache2 scanned port 1234 on 58 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /bin/nc.openbsd scanned port 1234 on 19 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 13 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded 3 times |
Download File |
A possibly malicious Superuser Operation was detected 6 times |
Superuser Operation |
./ifconfig was downloaded 3 times |
Download File |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 8 times |
Download and Execute |
Process /root/apache2 generated outgoing network traffic to: 101.42.90.177:1234, 101.70.8.49:80, 102.128.169.26:80, 103.152.118.20:1234, 104.21.25.86:443, 108.196.183.128:80, 109.74.228.66:80, 110.141.63.13:80, 120.236.79.182:1234, 124.115.231.214:1234, 136.166.145.143:80, 136.252.41.209:80, 141.152.139.17:80, 172.67.133.228:443, 172.70.142.73:80, 175.201.55.224:80, 178.43.218.183:80, 178.55.243.151:80, 180.47.1.219:80, 183.213.26.13:1234, 2.192.208.142:80, 20.193.240.122:80, 210.44.203.183:80, 220.243.148.80:1234, 223.130.129.149:80, 223.99.166.104:1234, 249.34.128.220:80, 37.74.154.121:80, 38.145.211.6:80, 4.27.172.51:80, 43.64.21.197:80, 47.175.1.13:80, 51.157.223.61:80, 58.229.125.66:1234, 61.84.162.66:1234, 62.209.177.170:80, 79.239.170.62:80, 82.2.115.160:80, 9.75.39.244:80, 94.153.165.43:1234 and 97.139.225.173:80 |
Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8081 and 8183 |
Listening |
Process /root/apache2 scanned port 80 on 58 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /tmp/apache2 scanned port 80 on 58 IP Addresses |
Port 1234 Scan Port 80 Scan |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 114 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 1.203.203.94:80, 100.38.192.199:80, 104.137.252.219:80, 111.50.65.27:80, 120.236.78.194:1234, 128.98.40.91:80, 13.161.102.226:80, 155.252.196.85:80, 156.108.29.162:80, 164.166.21.122:80, 17.94.206.94:80, 172.67.133.228:443, 176.107.94.187:80, 178.202.225.18:80, 189.20.147.54:80, 191.242.188.103:1234, 196.48.238.237:80, 202.61.203.229:1234, 211.169.70.127:80, 213.202.16.148:80, 22.222.187.185:80, 221.108.18.241:80, 222.134.240.91:1234, 29.62.38.58:80, 44.39.138.22:80, 51.159.19.47:1234, 52.47.132.242:80, 58.229.125.66:1234, 61.244.36.99:80, 63.168.232.73:80, 64.227.132.175:1234, 65.187.244.172:80, 66.17.158.89:80, 7.87.197.19:80, 75.241.26.148:80, 82.66.5.84:1234, 83.233.3.33:80 and 98.98.78.223:80 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8084 and 8182 |
Listening |
/tmp/ifconfig was downloaded |
Download File |
/var/tmp/ifconfig was downloaded 2 times |
Download File |
/root/ifconfig was downloaded |
Download File |
/etc/ifconfig was downloaded |
Download File |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 003fc3b1c6259d744b011cde32a47e8cb0b00708ebec1465839b9c14279bc70b |
262144 bytes |
/var/tmp/ifconfig |
SHA256: 1a44fca7624fff41bb0115d35ece06c6b145c23503b4e50eddc373c148b94a1d |
720896 bytes |
/var/tmp/ifconfig |
SHA256: 2aacc3f6c14a2bd120ce9f7cab7af1f4d3e207bea33d56f02a14f75613a7930c |
786432 bytes |
/var/tmp/ifconfig |
SHA256: 331f1ead3df8fed58ccf68da781f34b2f228a5c37f3bb245b836a4b49b1cf269 |
557056 bytes |
/var/tmp/ifconfig |
SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05 |
655360 bytes |
/var/tmp/ifconfig |
SHA256: 550307921085269ac7b53b3492fbffd8dc7bb9deaee1b26d433b3ebb40282384 |
2195456 bytes |
/var/tmp/ifconfig |
SHA256: 63ce5e408bc30df5efb4e48cb2e893e84b58da0ea31d834ce11db915f0dfaba2 |
32768 bytes |
/root/ifconfig |
SHA256: 6ee5b0eadb32669e495a5d4157119d3a8248235f0b3e21084070fb6bb45ca89e |
950272 bytes |