IP Address: 120.211.227.158Previously Malicious
IP Address: 120.211.227.158Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Port 8080 Scan Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Download and Execute SCP Outgoing Connection Download and Allow Execution |
Associated Attack Servers |
1.130.12.215 98.35.32.145 108.63.140.251 159.75.135.54 208.109.37.82 221.123.182.65 222.165.136.99 223.171.79.11 223.171.91.191 |
IP Address |
120.211.227.158 |
|
Domain |
- |
|
ISP |
China Mobile Guangdong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-06-12 |
Last seen in Akamai Guardicore Segmentation |
2022-10-26 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 147 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 1.130.12.215:2222, 100.140.74.227:2222, 104.21.25.86:443, 104.49.239.148:80, 104.49.239.148:8080, 108.63.140.251:22, 115.178.90.230:80, 115.178.90.230:8080, 116.109.250.98:80, 116.109.250.98:8080, 117.245.68.166:80, 117.245.68.166:8080, 120.85.227.242:80, 120.85.227.242:8080, 123.13.157.67:1234, 128.125.252.183:80, 128.125.252.183:8080, 133.24.206.39:80, 133.24.206.39:8080, 140.4.79.88:2222, 146.145.139.218:22, 150.34.109.37:80, 150.34.109.37:8080, 159.75.135.54:1234, 160.76.116.24:80, 160.76.116.24:8080, 167.134.123.33:80, 167.134.123.33:8080, 172.67.133.228:443, 176.109.31.151:80, 176.109.31.151:8080, 178.182.21.236:80, 178.182.21.236:8080, 179.178.62.123:2222, 180.171.89.193:80, 180.171.89.193:8080, 180.201.179.252:80, 180.201.179.252:8080, 197.170.89.126:22, 199.224.133.61:22, 199.7.68.106:80, 199.7.68.106:8080, 20.43.64.180:80, 20.43.64.180:8080, 208.109.37.82:1234, 219.78.168.164:80, 219.78.168.164:8080, 221.123.182.65:22, 222.165.136.99:1234, 223.165.20.43:80, 223.165.20.43:8080, 223.171.79.11:1234, 223.171.91.191:1234, 245.24.61.161:80, 245.24.61.161:8080, 248.36.9.203:2222, 253.41.209.53:2222, 28.249.218.211:22, 36.183.210.103:2222, 37.220.89.162:80, 37.220.89.162:8080, 48.14.101.45:2222, 50.81.153.29:80, 50.81.153.29:8080, 51.75.146.174:443, 55.91.108.49:80, 55.91.108.49:8080, 60.31.236.228:80, 60.31.236.228:8080, 66.124.197.115:80, 66.124.197.115:8080, 67.93.135.156:80, 67.93.135.156:8080, 75.88.38.23:80, 75.88.38.23:8080, 76.125.244.39:2222, 83.161.9.147:80, 83.161.9.147:8080, 84.39.192.146:80, 84.39.192.146:8080, 85.76.193.123:80, 85.76.193.123:8080, 94.164.214.221:80, 94.164.214.221:8080, 94.192.179.42:80, 94.192.179.42:8080, 97.238.57.184:22, 98.35.32.145:1234, 99.203.81.25:80 and 99.203.81.25:8080 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8086 and 8183 |
Listening |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 attempted to access suspicious domains: adsl, gvt.net.br and myvzw.com |
Access Suspicious Domain Outgoing Connection |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 3 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 4 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 10 times |
Download and Execute |
Connection was closed due to timeout |
|