IP Address: 124.221.155.117Previously Malicious
IP Address: 124.221.155.117Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
|
Role |
Attacker, Scanner |
|
Services Targeted |
SCP SSH |
|
Tags |
SSH Superuser Operation Successful SSH Login Download and Execute Download and Allow Execution |
|
Associated Attack Servers |
18.1.102.146 36.77.94.79 52.44.157.83 52.236.133.183 66.150.26.234 73.73.141.219 77.51.108.47 81.68.166.127 81.70.147.119 82.157.131.41 84.193.29.122 101.33.203.161 112.132.27.108 122.212.94.173 129.152.6.35 131.90.5.76 131.134.73.131 143.70.252.252 144.232.108.193 160.112.44.134 197.137.109.227 217.48.225.129 |
|
IP Address |
124.221.155.117 |
|
|
Domain |
- |
|
|
ISP |
Development & Research Center of State Council Net |
|
|
Country |
China |
|
|
WHOIS |
Created Date |
- |
|
Updated Date |
- |
|
|
Organization |
- |
|
|
First seen in Akamai Guardicore Segmentation |
2022-04-16 |
|
Last seen in Akamai Guardicore Segmentation |
2022-04-20 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
|
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
|
The file /root/ifconfig was downloaded and executed 6 times |
Download and Execute |
|
The file /root/apache2 was downloaded and executed 201 times |
Download and Execute |
|
Process /root/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.42.101.141:1234, 104.252.120.204:80, 104.252.120.204:8080, 107.125.84.229:80, 107.125.84.229:8080, 107.40.34.193:80, 107.40.34.193:8080, 119.91.157.192:1234, 133.24.3.115:2222, 139.95.226.103:80, 139.95.226.103:8080, 145.20.150.117:80, 145.20.150.117:8080, 148.73.61.55:22, 149.23.123.203:22, 151.43.95.87:80, 151.43.95.87:8080, 160.26.59.111:2222, 163.50.159.251:80, 163.50.159.251:8080, 170.177.45.14:80, 170.177.45.14:8080, 173.216.4.238:80, 173.216.4.238:8080, 174.75.19.236:2222, 182.217.32.176:80, 182.217.32.176:8080, 183.148.121.127:2222, 184.16.180.251:80, 184.16.180.251:8080, 189.155.39.16:80, 189.155.39.16:8080, 19.9.222.225:22, 193.24.188.169:22, 195.20.195.246:80, 195.20.195.246:8080, 196.104.28.143:80, 196.104.28.143:8080, 197.177.61.130:2222, 200.107.1.32:2222, 206.64.233.10:80, 206.64.233.10:8080, 207.97.68.247:22, 21.230.165.159:80, 21.230.165.159:8080, 21.8.111.70:80, 21.8.111.70:8080, 214.67.170.231:2222, 240.102.34.122:80, 240.102.34.122:8080, 241.106.134.41:80, 241.106.134.41:8080, 247.24.105.239:80, 247.24.105.239:8080, 249.106.144.75:22, 252.50.53.166:80, 252.50.53.166:8080, 253.169.7.226:80, 253.169.7.226:8080, 27.186.175.96:80, 27.186.175.96:8080, 32.204.85.204:80, 32.204.85.204:8080, 38.18.223.26:80, 38.18.223.26:8080, 40.234.145.114:80, 40.234.145.114:8080, 42.193.193.33:1234, 45.120.216.114:1234, 48.139.32.67:80, 48.139.32.67:8080, 5.94.57.25:80, 5.94.57.25:8080, 57.200.137.193:80, 57.200.137.193:8080, 58.33.13.154:1234, 58.40.180.4:80, 58.40.180.4:8080, 62.12.106.5:1234, 66.29.230.87:80, 66.29.230.87:8080, 76.164.122.219:2222, 78.236.135.134:80, 78.236.135.134:8080, 82.157.142.44:1234, 83.215.22.67:22, 91.132.105.49:22 and 91.161.86.120:2222 |
Outgoing Connection |
|
Process /root/apache2 started listening on ports: 1234, 8080 and 8184 |
Listening |
|
Process /root/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
|
Process /root/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
|
Process /root/apache2 attempted to access suspicious domains: cnt-grms.ec, consolidated.net, proxad.net and salzburg-online.at |
Access Suspicious Domain Outgoing Connection |
|
The file /root/php-fpm was downloaded and executed 34 times |
Download and Execute |
|
The file /root/php-fpm was downloaded and executed 18 times |
Download and Execute |
|
Connection was closed due to timeout |
|
© 2023 Akamai Technologies