IP Address: 119.45.17.204Previously Malicious
IP Address: 119.45.17.204Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Successful SSH Login SSH Download and Execute Outgoing Connection Access Suspicious Domain New SSH Key |
Associated Attack Servers |
hybs-pro.net ident.me inet.co.th ip-164-132-50.eu 3.94.32.17 3.223.51.129 14.157.119.189 23.46.238.225 23.55.220.56 34.117.59.81 39.98.201.31 39.105.122.233 39.107.235.247 39.108.215.9 47.52.62.133 47.75.42.164 47.97.207.84 47.98.152.150 47.98.237.159 47.100.34.181 47.100.57.138 49.12.234.183 49.51.184.105 49.233.17.49 49.234.27.199 49.234.62.76 49.234.122.134 49.235.119.78 49.235.221.69 66.171.248.178 68.183.186.25 101.132.226.44 101.200.50.114 101.226.197.196 |
IP Address |
119.45.17.204 |
|
Domain |
- |
|
ISP |
CNISP-Union Technology (Beijing) Co. |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-07-13 |
Last seen in Akamai Guardicore Segmentation |
2022-05-19 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ************** - Authentication policy: Reached Max Attempts |
Successful SSH Login |
The file /usr/bin/zqgdqq was downloaded and executed 40 times |
Download and Execute |
Process /usr/bin/zqgdqq generated outgoing network traffic to: 1.1.1.1:53, 101.226.197.196:38531, 103.232.84.51:35077, 103.27.42.23:58538, 103.47.242.21:41730, 104.18.115.97:80, 106.225.216.190:42998, 106.53.194.115:38739, 106.54.190.41:46064, 106.54.44.220:38298, 107.170.192.159:8000, 110.249.166.66:57924, 111.230.251.247:34911, 111.67.197.174:40416, 115.159.51.76:49041, 118.144.137.141:33601, 118.144.137.141:38847, 119.45.17.204:36446, 120.238.246.181:40425, 120.27.157.193:59544, 120.79.17.202:43583, 122.114.154.211:42122, 122.51.124.200:32807, 122.51.124.200:33490, 122.51.124.200:36219, 122.51.124.200:41169, 122.51.255.138:43956, 124.113.176.5:53534, 124.113.176.5:57782, 139.224.117.63:35199, 139.224.221.17:57422, 14.157.119.189:1458, 157.250.156.35:40567, 164.132.50.60:35731, 198.199.114.238:41709, 202.90.155.251:34363, 203.150.95.65:33297, 208.67.222.222:443, 218.29.54.177:51810, 218.95.107.17:34422, 23.55.220.56:80, 3.94.32.17:80, 34.117.59.81:80, 39.108.215.9:40315, 47.52.62.133:33598, 47.98.152.150:40809, 47.98.237.159:45657, 49.12.234.183:80, 49.235.119.78:34519, 49.235.221.69:41768 and 49.51.184.105:37449 |
Outgoing Connection |
Process /usr/bin/zqgdqq attempted to access suspicious domains: adsl, googleusercontent.com, hybs-pro.net, ident.me, inet.co.th and ip-164-132-50.eu |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made 16 times |
New SSH Key |
/usr/local/bin/qkglvy |
SHA256: 5e9eed61745f9cab83471787ec9610b722c950ac5bc185fd152327eb068e7ed9 |
3180796 bytes |