IP Address: 124.222.163.73Previously Malicious
IP Address: 124.222.163.73Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login Port 8080 Scan 5 Shell Commands Listening SSH SCP Outgoing Connection Superuser Operation Port 80 Scan Download File Port 1234 Scan |
Associated Attack Servers |
salesforce.com srasia-great.com vivox.com 13.110.251.32 46.3.193.47 95.154.21.210 120.224.34.31 147.182.233.56 185.210.144.122 209.216.177.158 211.227.39.25 212.70.213.230 216.52.53.84 218.146.15.97 220.71.233.103 222.121.63.87 |
IP Address |
124.222.163.73 |
|
Domain |
- |
|
ISP |
Development & Research Center of State Council Net |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-06-30 |
Last seen in Akamai Guardicore Segmentation |
2022-08-14 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/bash scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses 2 times |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 101.126.76.49:80, 101.126.76.49:8080, 103.90.177.102:1234, 104.202.50.13:80, 104.202.50.13:8080, 104.21.25.86:443, 109.121.81.69:80, 109.121.81.69:8080, 12.8.118.219:80, 12.8.118.219:8080, 120.224.34.31:1234, 120.236.78.194:1234, 124.223.14.100:1234, 126.134.200.176:80, 126.134.200.176:8080, 128.108.224.26:80, 128.108.224.26:8080, 135.203.123.76:80, 135.203.123.76:8080, 144.10.196.172:80, 144.10.196.172:8080, 147.132.33.214:80, 147.132.33.214:8080, 149.121.245.151:80, 153.84.46.35:80, 153.84.46.35:8080, 158.211.184.228:80, 158.211.184.228:8080, 158.31.2.205:80, 158.31.2.205:8080, 161.35.79.199:1234, 167.150.198.75:80, 167.150.198.75:8080, 17.207.60.27:80, 172.67.133.228:443, 180.124.133.234:80, 180.124.133.234:8080, 184.83.112.246:1234, 186.52.138.170:80, 186.52.138.170:8080, 189.201.233.38:80, 189.201.233.38:8080, 190.138.240.233:1234, 191.242.182.210:1234, 192.163.234.75:80, 192.163.234.75:8080, 196.132.233.129:80, 196.132.233.129:8080, 206.189.25.255:1234, 207.157.184.55:80, 207.157.184.55:8080, 209.216.177.158:1234, 209.216.177.238:1234, 210.99.20.194:1234, 212.57.36.20:1234, 218.199.156.115:80, 218.199.156.115:8080, 220.243.148.80:1234, 221.223.180.231:80, 221.223.180.231:8080, 222.134.240.92:1234, 223.171.91.127:1234, 223.171.91.149:1234, 223.171.91.191:1234, 24.216.12.213:80, 24.216.12.213:8080, 247.96.25.239:80, 247.96.25.239:8080, 26.5.47.171:80, 26.5.47.171:8080, 32.164.6.90:80, 32.164.6.90:8080, 49.24.192.96:80, 49.24.192.96:8080, 51.75.146.174:443, 52.131.32.110:1234, 58.229.125.66:1234, 64.227.132.175:1234, 64.66.19.66:80, 75.229.248.224:80, 85.58.216.241:80, 85.58.216.241:8080, 89.212.123.191:1234, 9.67.221.78:80, 9.67.221.78:8080, 94.153.165.43:1234 and 95.154.21.210:1234 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8086 and 8182 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/local/mysql/bin/mysqld started listening on ports: 3306 |
Listening |
Process /lib/systemd/systemd started listening on ports: 80 2 times |
Listening |
Process /lib/systemd/systemd started listening on ports: 80 |
Listening |
Process /usr/local/apache2/bin/httpd started listening on ports: 80 |
Listening |
Process /lib/systemd/systemd started listening on ports: 80 |
Listening |
Process /usr/local/apache2/bin/httpd started listening on ports: 80 |
Listening |
Process /lib/systemd/systemd started listening on ports: 80 |
Listening |
Process /usr/local/apache2/bin/httpd started listening on ports: 80 |
Listening |
Process /usr/local/apache2/bin/httpd started listening on ports: 80 |
Listening |
Process /usr/local/mysql/bin/mysqld started listening on ports: 3306 |
Listening |
Connection was closed due to timeout |
|