IP Address: 124.221.183.139Previously Malicious
IP Address: 124.221.183.139Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
System File Modification Port 1234 Scan SSH Listening 9 Shell Commands SCP Port 80 Scan Port 8080 Scan Superuser Operation Outgoing Connection Successful SSH Login Download and Execute Download File |
Associated Attack Servers |
15.188.46.29 45.39.141.168 59.3.186.45 91.121.9.121 95.154.21.210 103.90.177.102 117.80.212.33 118.41.204.72 118.218.209.149 120.224.34.31 125.160.115.47 147.182.233.56 152.242.43.89 172.64.110.32 172.64.111.32 172.64.200.11 172.64.201.11 191.242.188.103 202.82.11.20 206.189.25.255 209.216.177.158 209.216.177.238 213.188.218.123 218.146.15.97 222.103.98.58 222.165.136.99 |
IP Address |
124.221.183.139 |
|
Domain |
- |
|
ISP |
- |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-07-10 |
Last seen in Akamai Guardicore Segmentation |
2022-10-25 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /etc/ifconfig scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/ifconfig scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/ifconfig scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/ifconfig scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/ifconfig scanned port 1234 on 30 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /bin/bash scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 11 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
/tmp/ifconfig was downloaded |
Download File |
./ifconfig was downloaded |
Download File |
The file /var/tmp/ifconfig was downloaded and granted execution privileges |
|
/root/ifconfig was downloaded |
Download File |
System file /etc/ifconfig was modified 9 times |
System File Modification |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /etc/ifconfig was downloaded and executed 6 times |
Download and Execute |
System file /etc/apache2 was modified 4 times |
System File Modification |
The file /etc/apache2 was downloaded and executed 56 times |
Download and Execute |
Process /etc/ifconfig generated outgoing network traffic to: 1.22.2.48:80, 1.22.2.48:8080, 103.105.12.48:1234, 103.152.118.20:1234, 103.201.14.26:80, 103.201.14.26:8080, 104.21.25.86:443, 106.39.64.147:80, 106.39.64.147:8080, 11.135.114.252:80, 11.135.114.252:8080, 11.7.2.194:80, 11.7.2.194:8080, 116.244.26.44:80, 116.244.26.44:8080, 117.16.44.111:1234, 117.80.212.33:1234, 139.209.222.134:1234, 139.31.72.102:80, 139.31.72.102:8080, 150.107.95.20:1234, 161.107.113.34:1234, 172.5.226.37:80, 172.5.226.37:8080, 172.67.133.228:443, 173.18.35.41:1234, 174.147.6.154:80, 174.147.6.154:8080, 182.224.177.56:1234, 183.213.26.13:1234, 184.83.112.246:1234, 185.109.49.178:80, 185.109.49.178:8080, 185.210.144.122:1234, 187.22.63.240:80, 187.22.63.240:8080, 190.60.239.44:1234, 192.7.78.92:80, 192.7.78.92:8080, 193.193.105.104:80, 193.193.105.104:8080, 194.119.140.94:80, 194.119.140.94:8080, 206.189.25.255:1234, 208.163.126.152:80, 208.163.126.152:8080, 209.216.177.158:1234, 210.99.20.194:1234, 215.204.154.70:80, 215.204.154.70:8080, 215.230.124.48:80, 215.230.124.48:8080, 218.124.104.197:80, 218.124.104.197:8080, 220.90.67.235:80, 220.90.67.235:8080, 222.100.124.62:1234, 222.165.136.99:1234, 223.155.231.11:80, 223.155.231.11:8080, 223.171.91.160:1234, 250.11.14.130:80, 250.11.14.130:8080, 38.143.241.213:80, 38.143.241.213:8080, 39.40.183.2:80, 39.40.183.2:8080, 46.183.151.178:80, 46.183.151.178:8080, 47.135.151.121:80, 49.233.159.222:1234, 61.77.105.219:1234, 64.227.132.175:1234, 67.111.81.172:80, 67.111.81.172:8080, 77.57.65.155:80, 77.57.65.155:8080, 82.66.5.84:1234, 82.85.83.81:80, 82.85.83.81:8080, 84.162.167.54:80, 84.162.167.54:8080, 9.206.210.120:80, 93.132.20.164:80, 93.132.20.164:8080, 94.153.165.43:1234, 97.120.82.4:80 and 97.120.82.4:8080 |
Outgoing Connection |
Process /etc/ifconfig started listening on ports: 1234, 8083 and 8185 |
Listening |
Process /etc/ifconfig scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/ifconfig scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/ifconfig scanned port 80 on 30 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /etc/ifconfig scanned port 8080 on 30 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 003fc3b1c6259d744b011cde32a47e8cb0b00708ebec1465839b9c14279bc70b |
262144 bytes |
/var/tmp/ifconfig |
SHA256: 1a44fca7624fff41bb0115d35ece06c6b145c23503b4e50eddc373c148b94a1d |
720896 bytes |
/var/tmp/ifconfig |
SHA256: 2fd96aa6470f930f543ef665fcc62ffa4dfe6646b8f506c11b452a191800285b |
2392064 bytes |
/var/tmp/ifconfig |
SHA256: 6ee5b0eadb32669e495a5d4157119d3a8248235f0b3e21084070fb6bb45ca89e |
950272 bytes |
/var/tmp/ifconfig |
SHA256: 861921d16b4f8870dda3d79aecaa828b713b8e41b29ec977aca10c236356144e |
1507328 bytes |
/var/tmp/ifconfig |
SHA256: 8a53c1d12942d21d2876a4b8d1eeed8a33a4a9d9f6d1ff3474980278e76a7cc9 |
1310720 bytes |
/var/tmp/ifconfig |
SHA256: b33bbdefc7d571e92a857b05db1fe718d964b55ec882786d8134442e3bb18f96 |
622592 bytes |
/root/ifconfig |
SHA256: b3b7551f344bdc4021e89ae74961531531a7dedf23e7b2d0364e21d052271ae2 |
1114112 bytes |