IP Address: 13.75.90.126Previously Malicious
IP Address: 13.75.90.126Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
New SSH Key SSH SSH Brute Force Outgoing Connection Access Suspicious Domain Successful SSH Login Download and Execute |
Associated Attack Servers |
23.21.47.155 23.55.221.152 27.124.9.222 31.220.41.202 39.104.166.233 47.104.195.218 49.235.238.86 58.144.209.82 66.171.248.178 73.51.40.26 106.52.187.225 106.53.198.193 107.170.192.159 111.230.251.247 116.202.244.153 117.73.10.53 118.25.154.146 122.51.70.158 129.211.31.111 138.68.100.204 139.59.24.168 154.92.16.22 154.211.12.168 176.58.123.25 208.67.222.222 212.64.34.108 216.117.227.195 218.248.40.228 |
IP Address |
13.75.90.126 |
|
Domain |
- |
|
ISP |
Microsoft Corporation |
|
Country |
Hong Kong |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-06-20 |
Last seen in Akamai Guardicore Segmentation |
2020-08-15 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ************** - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
The file /usr/local/bin/auglrf was downloaded and executed 27 times |
Download and Execute |
Process /usr/local/bin/auglrf generated outgoing network traffic to: 1.1.1.1:53, 106.52.187.225:38201, 106.53.198.193:44873, 107.170.192.159:8000, 111.230.251.247:34911, 116.202.244.153:80, 117.73.10.53:36467, 118.25.154.146:34511, 122.51.70.158:46632, 129.211.31.111:40613, 138.68.100.204:46799, 139.59.24.168:37643, 154.211.12.168:43199, 154.92.16.22:36759, 176.58.123.25:80, 208.67.222.222:443, 212.64.34.108:44629, 216.117.227.195:35047, 216.239.32.21:80, 216.239.36.21:80, 218.248.40.228:52938, 23.21.47.155:80, 23.55.221.152:80, 27.124.9.222:39545, 31.220.41.202:33133, 39.104.166.233:46000, 47.104.195.218:41920, 49.235.238.86:34078, 58.144.209.82:43665, 66.171.248.178:80 and 73.51.40.26:52316 |
Outgoing Connection |
Process /usr/local/bin/auglrf attempted to access suspicious domains: allwest.net, icanhazip.com, ident.me and one.one |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made 4 times |
New SSH Key |