IP Address: 124.221.181.83Previously Malicious
IP Address: 124.221.181.83Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
|
Role |
Attacker, Connect-Back, Scanner |
|
Services Targeted |
SCP SSH |
|
Tags |
SSH SCP Superuser Operation Download File Download and Allow Execution Successful SSH Login Download and Execute |
|
Associated Attack Servers |
45.238.133.132 46.229.134.81 51.68.229.212 71.169.184.43 95.154.21.210 103.152.118.20 117.80.212.33 120.224.34.31 124.223.14.100 125.161.27.96 161.35.79.199 166.193.42.21 172.64.110.32 172.64.111.32 172.64.200.11 172.64.201.11 191.96.34.2 191.96.34.6 206.189.25.255 209.216.177.238 222.117.95.174 |
|
IP Address |
124.221.181.83 |
|
|
Domain |
- |
|
|
ISP |
Development & Research Center of State Council Net |
|
|
Country |
China |
|
|
WHOIS |
Created Date |
- |
|
Updated Date |
- |
|
|
Organization |
- |
|
|
First seen in Akamai Guardicore Segmentation |
2022-07-12 |
|
Last seen in Akamai Guardicore Segmentation |
2022-10-31 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
|
Process /tmp/ifconfig scanned port 1234 on 33 IP Addresses |
Port 1234 Scan Port 80 Scan |
|
Process /tmp/ifconfig scanned port 1234 on 20 IP Addresses |
Port 1234 Scan Port 80 Scan |
|
Process /tmp/ifconfig scanned port 80 on 33 IP Addresses |
Port 1234 Scan Port 80 Scan |
|
Process /bin/bash scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
|
Process /bin/nc.openbsd scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
|
Process /var/tmp/ifconfig scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
|
Process /root/ifconfig scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
|
A possibly malicious Superuser Operation was detected 8 times |
Superuser Operation |
|
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
|
The file /tmp/apache2 was downloaded and executed 314 times |
Download and Execute |
|
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.220.98.197:1234, 103.105.12.48:1234, 103.152.118.20:1234, 104.213.189.246:80, 118.41.204.72:1234, 120.236.78.194:1234, 123.132.238.210:1234, 126.65.16.166:80, 142.250.191.228:443, 147.182.233.56:1234, 159.99.217.88:80, 161.107.113.34:1234, 172.64.201.11:443, 173.162.229.236:80, 173.18.35.41:1234, 182.224.177.56:1234, 183.223.71.133:80, 19.143.88.82:80, 198.113.99.190:80, 198.66.73.66:80, 202.61.203.229:1234, 209.216.177.238:1234, 211.162.184.120:1234, 212.57.36.20:1234, 218.146.15.97:1234, 220.243.148.80:1234, 222.134.240.92:1234, 222.165.136.99:1234, 223.171.91.127:1234, 23.230.148.196:80, 244.93.40.150:80, 29.57.57.239:80, 31.19.237.170:1234, 32.7.74.137:80, 36.112.249.169:80, 36.62.152.10:80, 39.175.68.100:1234, 43.242.247.139:1234, 45.120.216.114:1234, 51.75.146.174:443, 59.3.186.45:1234, 64.227.132.175:1234, 67.93.61.41:80, 76.7.170.95:80, 8.8.8.8:443, 80.147.162.151:1234, 82.66.5.84:1234, 84.204.148.99:1234, 85.105.82.39:1234, 86.197.190.76:80, 94.153.165.43:1234, 95.154.21.210:1234, 95.154.21.210:2222, 97.104.188.242:80, 97.105.156.72:80 and 98.64.115.39:80 |
Outgoing Connection |
|
Process /tmp/ifconfig started listening on ports: 1234, 8082 and 8182 |
Listening |
|
Process /tmp/ifconfig attempted to access suspicious domains: sefiber.dk |
Access Suspicious Domain Outgoing Connection |
|
The file /var/tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
|
The file /var/tmp/apache2 was downloaded and executed 16 times |
Download and Execute |
|
Process /var/tmp/ifconfig generated outgoing network traffic to: 172.64.201.11:443 |
Outgoing Connection |
|
./ifconfig was downloaded |
Download File |
|
The file /root/ifconfig was downloaded and executed 10 times |
Download and Execute |
|
Process /tmp/ifconfig scanned port 80 on 20 IP Addresses |
Port 1234 Scan Port 80 Scan |
|
The file /root/apache2 was downloaded and executed 59 times |
Download and Execute |
|
Connection was closed due to user inactivity |
|
|
/var/tmp/ifconfig |
SHA256: 1b40245f21f1cb845b7fdf2428315166a8b1d8d5e1e42cd290cd8e479ed61ad7 |
2129920 bytes |
|
/var/tmp/ifconfig |
SHA256: 2aacc3f6c14a2bd120ce9f7cab7af1f4d3e207bea33d56f02a14f75613a7930c |
786432 bytes |
|
/var/tmp/ifconfig |
SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05 |
655360 bytes |
|
/var/tmp/ifconfig |
SHA256: 63ce5e408bc30df5efb4e48cb2e893e84b58da0ea31d834ce11db915f0dfaba2 |
32768 bytes |
|
/var/tmp/ifconfig |
SHA256: 861921d16b4f8870dda3d79aecaa828b713b8e41b29ec977aca10c236356144e |
1507328 bytes |
|
/var/tmp/ifconfig |
SHA256: 8e7cf70465391f66bc440eba9c30c73995725eaa95fe9f8ba9da6ecbe060c085 |
2424832 bytes |
|
/var/tmp/ifconfig |
SHA256: 915f410de5799b81704f3695d8aa38d5da78b01b60cea17d3e0c3f162f9b0e9b |
1802240 bytes |
|
/root/ifconfig |
SHA256: 9f26c9e5240ac92baa25aadfd4f23dcb35723982204e00da5cbfb5cb88bf56af |
1867776 bytes |
© 2023 Akamai Technologies