IP Address: 124.221.203.24Previously Malicious
IP Address: 124.221.203.24Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login Port 8080 Scan 7 Shell Commands Listening SSH SCP Outgoing Connection Download and Execute Superuser Operation Port 80 Scan Download File Port 1234 Scan |
Associated Attack Servers |
IP Address |
124.221.203.24 |
|
Domain |
- |
|
ISP |
Development & Research Center of State Council Net |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-07-23 |
Last seen in Akamai Guardicore Segmentation |
2022-08-14 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/nc.openbsd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /tmp/apache2 scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 1234 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 4 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 158 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 103.152.118.20:1234, 104.21.25.86:443, 107.206.58.222:80, 107.206.58.222:8080, 110.246.151.85:80, 110.246.151.85:8080, 111.53.11.130:1234, 120.236.79.182:1234, 120.31.133.162:1234, 124.223.14.100:1234, 137.30.69.10:80, 137.30.69.10:8080, 138.74.238.92:80, 138.74.238.92:8080, 139.209.222.134:1234, 147.130.40.143:80, 147.130.40.143:8080, 153.169.68.201:80, 153.169.68.201:8080, 158.244.231.123:80, 158.244.231.123:8080, 16.13.173.240:80, 16.13.173.240:8080, 161.107.113.34:1234, 161.35.79.199:1234, 164.114.101.132:80, 164.114.101.132:8080, 167.91.184.157:80, 167.91.184.157:8080, 172.67.133.228:443, 173.18.35.41:1234, 175.89.235.108:80, 175.89.235.108:8080, 180.231.11.233:80, 180.231.11.233:8080, 182.224.177.56:1234, 190.138.240.233:1234, 192.167.91.177:80, 192.216.209.48:80, 192.216.209.48:8080, 206.189.25.255:1234, 209.216.177.158:1234, 210.99.20.194:1234, 215.82.173.82:80, 220.213.110.80:80, 220.213.110.80:8080, 220.243.148.80:1234, 222.121.63.87:1234, 223.99.166.104:1234, 33.108.87.147:80, 33.108.87.147:8080, 45.219.119.48:80, 45.219.119.48:8080, 50.105.76.187:80, 51.159.19.47:1234, 51.75.146.174:443, 58.223.119.68:80, 58.249.153.81:80, 58.249.153.81:8080, 59.3.186.45:1234, 6.160.47.109:80, 6.160.47.109:8080, 60.121.170.153:80, 60.121.170.153:8080, 61.77.105.219:1234, 61.84.162.66:1234, 63.156.71.105:80, 63.156.71.105:8080, 64.61.202.21:80, 64.61.202.21:8080, 75.109.251.134:80, 75.109.251.134:8080, 77.46.165.232:80, 77.46.165.232:8080, 80.147.162.151:1234, 82.104.60.115:80, 82.104.60.115:8080, 82.21.187.46:80, 82.21.187.46:8080, 82.66.5.84:1234, 85.238.7.234:80, 85.238.7.234:8080, 91.60.175.206:80, 91.60.175.206:8080, 93.176.229.145:1234, 97.235.13.69:80 and 97.235.13.69:8080 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8088 and 8187 |
Listening |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 80 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 8e7cf70465391f66bc440eba9c30c73995725eaa95fe9f8ba9da6ecbe060c085 |
2424832 bytes |