IP Address: 121.4.44.93Previously Malicious
IP Address: 121.4.44.93Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection Access Suspicious Domain Listening |
Associated Attack Servers |
1.44.81.155 49.233.60.34 77.83.47.226 94.23.211.110 100.2.131.143 101.153.251.182 117.146.172.106 124.221.119.17 125.19.141.103 125.250.60.163 131.54.29.2 140.36.241.152 144.22.211.65 155.134.75.102 159.203.64.35 167.82.33.106 177.194.143.100 182.112.248.160 186.81.110.121 186.168.20.239 186.188.135.132 212.78.166.140 |
IP Address |
121.4.44.93 |
|
Domain |
- |
|
ISP |
Tencent cloud computing |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-25 |
Last seen in Akamai Guardicore Segmentation |
2022-03-29 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.44.81.155:2222, 1.71.118.42:80, 1.71.118.42:8080, 101.153.251.182:2222, 104.21.25.86:443, 110.60.74.97:80, 110.60.74.97:8080, 116.53.106.204:80, 116.53.106.204:8080, 117.146.172.106:1234, 12.149.103.192:80, 12.149.103.192:8080, 124.221.119.17:1234, 125.19.141.103:22, 125.250.60.163:22, 128.110.226.160:80, 128.110.226.160:8080, 131.54.29.2:2222, 133.128.133.36:80, 133.128.133.36:8080, 133.238.180.35:80, 133.238.180.35:8080, 136.187.152.245:80, 136.187.152.245:8080, 140.36.241.152:2222, 142.251.32.4:443, 144.22.211.65:1234, 155.134.75.102:2222, 156.253.150.104:80, 156.253.150.104:8080, 159.203.64.35:22, 166.245.105.52:80, 166.245.105.52:8080, 167.82.33.106:22, 172.67.133.228:443, 172.87.21.104:80, 172.87.21.104:8080, 174.240.150.36:80, 174.240.150.36:8080, 177.194.143.100:22, 179.133.156.244:80, 179.133.156.244:8080, 18.12.193.218:80, 18.12.193.218:8080, 182.112.248.160:1234, 184.104.123.45:80, 184.104.123.45:8080, 184.200.71.10:80, 184.200.71.10:8080, 186.168.20.239:2222, 186.188.135.132:22, 186.81.110.121:2222, 194.192.215.173:80, 194.192.215.173:8080, 2.86.103.209:80, 2.86.103.209:8080, 204.61.94.194:80, 204.61.94.194:8080, 211.12.182.170:80, 211.12.182.170:8080, 212.78.166.140:1234, 3.1.187.197:80, 3.1.187.197:8080, 33.20.160.31:80, 33.20.160.31:8080, 49.233.60.34:1234, 51.75.146.174:443, 52.15.202.216:80, 52.15.202.216:8080, 54.49.157.95:80, 54.49.157.95:8080, 61.231.50.112:80, 61.231.50.112:8080, 64.245.228.37:80, 64.245.228.37:8080, 72.41.252.178:80, 72.41.252.178:8080, 74.150.36.181:80, 74.150.36.181:8080, 77.83.47.226:22, 8.62.133.190:80, 8.62.133.190:8080, 84.182.248.146:80, 84.182.248.146:8080, 85.45.208.194:80, 85.45.208.194:8080, 86.62.119.104:80, 86.62.119.104:8080 and 94.23.211.110:1234 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8083 and 8189 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: adsl, cable.net.co, ip-94-23-211.eu and virtua.com.br |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|