IP Address: 123.13.156.12Previously Malicious
IP Address: 123.13.156.12Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
cloudfront.net internetia.net.pl timbrasil.com.br 1.15.13.216 3.91.21.110 10.33.0.9 13.33.144.219 42.231.28.11 42.231.30.127 66.228.28.19 77.88.134.167 132.248.220.135 148.67.197.79 156.23.249.87 179.121.233.2 179.251.227.130 187.6.3.3 202.37.145.130 202.61.203.229 207.108.166.83 214.67.221.181 222.11.236.146 |
IP Address |
123.13.156.12 |
|
Domain |
- |
|
ISP |
China Unicom Liaoning |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-07 |
Last seen in Akamai Guardicore Segmentation |
2022-04-11 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.15.13.216:1234, 100.127.103.126:80, 100.127.103.126:8080, 100.176.26.227:80, 100.176.26.227:8080, 101.220.190.20:80, 101.220.190.20:8080, 103.24.16.43:80, 103.24.16.43:8080, 104.21.25.86:443, 119.127.225.251:80, 119.127.225.251:8080, 121.98.85.49:80, 121.98.85.49:8080, 122.42.59.35:80, 122.42.59.35:8080, 124.202.75.213:80, 124.202.75.213:8080, 13.33.144.219:22, 132.248.220.135:2222, 142.251.32.4:443, 148.67.197.79:22, 15.215.122.51:80, 15.215.122.51:8080, 156.23.249.87:2222, 160.151.179.242:80, 160.151.179.242:8080, 172.67.133.228:443, 179.121.233.2:22, 179.251.227.130:22, 182.89.86.135:80, 182.89.86.135:8080, 187.6.3.3:1234, 198.144.238.102:80, 198.144.238.102:8080, 2.28.198.140:80, 2.28.198.140:8080, 202.37.145.130:2222, 202.61.203.229:1234, 207.108.166.83:2222, 214.67.221.181:2222, 222.11.236.146:2222, 244.176.227.159:80, 244.176.227.159:8080, 247.176.8.165:80, 247.176.8.165:8080, 251.199.173.171:80, 251.199.173.171:8080, 251.55.107.8:80, 251.55.107.8:8080, 26.202.24.243:80, 26.202.24.243:8080, 26.222.123.150:80, 26.222.123.150:8080, 3.91.21.110:1234, 33.233.250.109:80, 33.233.250.109:8080, 4.102.152.206:80, 4.102.152.206:8080, 4.83.135.72:80, 4.83.135.72:8080, 41.166.69.205:80, 41.166.69.205:8080, 42.231.28.11:1234, 42.231.30.127:1234, 5.88.204.239:80, 5.88.204.239:8080, 51.75.146.174:443, 54.178.18.231:80, 54.178.18.231:8080, 56.210.112.85:80, 56.210.112.85:8080, 64.245.130.228:80, 64.245.130.228:8080, 65.204.128.34:80, 65.204.128.34:8080, 66.228.28.19:1234, 75.68.128.145:80, 75.68.128.145:8080, 77.198.2.140:80, 77.198.2.140:8080, 77.88.134.167:22, 8.8.4.4:443, 8.8.8.8:443, 82.12.204.130:80, 82.12.204.130:8080, 82.42.199.118:80 and 82.42.199.118:8080 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8080 and 8183 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: adsl, brasiltelecom.net.br, goodsrv.de, healthsoft.co.nz, internetia.net.pl, mopera.net and timbrasil.com.br |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|