IP Address: 120.79.225.174Malicious
IP Address: 120.79.225.174Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Access Suspicious Domain Service Restart New SSH Key Scheduled Task Creation Listening Read Password Secrets SSH System File Modification Outgoing Connection Successful SSH Login Download and Execute Download and Allow Execution Executable File Modification |
Associated Attack Servers |
amazonaws.com contaboserver.net crossup.com.ua hwclouds-dns.com 8.219.174.17 13.251.154.125 39.101.162.199 39.109.116.46 43.155.163.36 43.155.183.210 45.159.209.15 47.98.246.179 47.99.105.173 47.117.174.85 47.120.32.253 81.71.101.5 103.9.134.247 103.219.60.213 106.74.25.113 113.69.158.152 114.116.38.171 114.116.121.205 118.107.43.171 120.25.199.122 121.4.78.46 121.36.225.69 123.60.171.201 130.193.55.111 139.155.3.20 182.86.188.5 185.233.36.161 207.244.245.45 218.108.40.11 |
IP Address |
120.79.225.174 |
|
Domain |
- |
|
ISP |
- |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2024-01-07 |
Last seen in Akamai Guardicore Segmentation |
2024-07-03 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/bash generated outgoing network traffic to: 121.4.78.46:60142 |
Outgoing Connection |
System file /etc/crontab was modified 9 times |
System File Modification |
Executable file /usr/bin/wgbtx was modified |
Executable File Modification |
System file /etc/shadow was modified 225 times |
System File Modification |
The file /tmp/SuiRWdny8T was downloaded and executed 15 times |
Download and Execute |
Process /tmp/SuiRWdny8T started listening on ports: 60118 |
Listening |
System file /etc/ssh/sshd_config was modified 4 times |
System File Modification |
Process /tmp/SuiRWdny8T generated outgoing network traffic to: 103.219.60.213:60104, 106.74.25.113:60135, 113.69.158.152:60136, 114.116.121.205:60149, 114.116.38.171:60139, 118.107.43.171:60102, 120.25.199.122:60109, 120.79.225.174:60118, 121.36.225.69:60141, 121.4.78.46:60142, 123.60.171.201:60118, 13.251.154.125:60135, 130.193.55.111:60109, 139.155.3.20:60106, 182.86.188.5:60107, 185.233.36.161:60122, 207.244.245.45:60134, 218.108.40.11:60134, 39.101.162.199:60139, 39.109.116.46:60109, 43.155.163.36:60111, 43.155.183.210:60111, 45.159.209.15:60133, 47.117.174.85:60114, 47.120.32.253:60112, 47.98.246.179:60119, 47.99.105.173:60121, 8.219.174.17:60131 and 81.71.101.5:60131 |
Outgoing Connection |
The file /tmp/bash was downloaded and granted execution privileges |
|
Process /lib/systemd/systemd started listening on ports: 22 |
Listening |
Process /tmp/SuiRWdny8T attempted to access suspicious domains: crossup.com.ua and hwclouds-dns.com |
Outgoing Connection Access Suspicious Domain |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |
/tmp/rFgPbxsuCh |
SHA256: 976e3772ffea7499f7c119e956a5a71806f8f054caf174978fa888b254dd22a0 |
1458464 bytes |