IP Address: 13.67.56.211Previously Malicious
IP Address: 13.67.56.211Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Download and Execute Access Suspicious Domain Outgoing Connection Listening Download and Allow Execution |
Associated Attack Servers |
18.163.97.237 30.140.63.135 43.242.247.139 47.112.205.162 51.62.139.136 54.109.167.16 59.3.186.45 81.70.58.68 84.61.123.63 85.51.24.68 85.105.82.39 90.56.118.96 96.215.72.30 101.34.24.6 104.30.239.210 106.202.159.75 108.200.48.83 110.42.191.5 113.110.241.176 117.50.179.58 133.163.84.241 138.2.83.98 148.244.144.115 150.144.201.62 161.5.219.15 163.67.157.128 173.69.228.154 180.228.169.37 182.112.248.160 |
IP Address |
13.67.56.211 |
|
Domain |
- |
|
ISP |
Microsoft Corporation |
|
Country |
Singapore |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-02 |
Last seen in Akamai Guardicore Segmentation |
2022-04-03 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 23 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 104.21.25.86:443, 104.30.239.210:22, 106.202.159.75:2222, 108.200.48.83:2222, 110.139.108.232:80, 110.139.108.232:8080, 110.42.191.5:1234, 113.110.241.176:1234, 116.5.222.55:80, 116.5.222.55:8080, 118.197.71.229:80, 118.197.71.229:8080, 126.182.214.189:80, 126.182.214.189:8080, 128.59.237.13:80, 128.59.237.13:8080, 146.237.152.74:80, 146.237.152.74:8080, 148.244.144.115:2222, 155.127.126.227:80, 155.127.126.227:8080, 163.79.204.152:80, 163.79.204.152:8080, 171.191.218.252:80, 171.191.218.252:8080, 172.67.133.228:443, 173.69.228.154:22, 175.64.78.195:80, 175.64.78.195:8080, 18.117.211.173:80, 18.117.211.173:8080, 182.112.248.160:1234, 184.81.150.201:80, 184.81.150.201:8080, 185.106.42.47:80, 185.106.42.47:8080, 189.77.225.32:80, 189.77.225.32:8080, 19.178.97.207:80, 19.178.97.207:8080, 191.188.127.184:80, 191.188.127.184:8080, 195.48.20.118:2222, 2.1.173.126:80, 2.1.173.126:8080, 20.134.192.66:80, 20.134.192.66:8080, 206.36.96.115:22, 207.219.17.184:2222, 22.17.64.48:80, 22.17.64.48:8080, 220.32.171.52:22, 222.9.143.126:80, 222.9.143.126:8080, 246.126.63.199:80, 246.126.63.199:8080, 250.92.2.155:22, 30.140.63.135:2222, 35.80.190.240:80, 35.80.190.240:8080, 38.227.194.236:80, 38.227.194.236:8080, 41.156.56.68:80, 41.156.56.68:8080, 43.242.247.139:1234, 45.68.77.251:80, 45.68.77.251:8080, 51.62.139.136:22, 51.75.146.174:443, 56.80.37.163:80, 56.80.37.163:8080, 59.3.186.45:1234, 6.196.98.20:80, 6.196.98.20:8080, 70.218.57.184:80, 70.218.57.184:8080, 81.70.58.68:1234, 85.105.82.39:1234, 88.119.98.41:80, 88.119.98.41:8080, 89.57.106.74:80, 89.57.106.74:8080, 90.56.118.96:2222, 95.112.94.165:80, 95.112.94.165:8080, 96.215.72.30:22, 97.52.7.167:80 and 97.52.7.167:8080 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8084 and 8180 |
Listening |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 attempted to access suspicious domains: adsl, alestra.net.mx, bbtec.net, dsl-net.ch and sbcglobal.net |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to user inactivity |
|