IP Address: 139.226.207.251Previously Malicious
IP Address: 139.226.207.251Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH SCP Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute Download File |
Associated Attack Servers |
59.3.186.45 95.154.21.210 118.218.209.149 124.223.14.100 172.64.200.11 172.64.201.11 |
IP Address |
139.226.207.251 |
|
Domain |
- |
|
ISP |
CHINA UNICOM Shanghai city network |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-10-13 |
Last seen in Akamai Guardicore Segmentation |
2022-10-19 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
Process /bin/bash scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 33 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /root/apache2 scanned port 80 on 33 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /root/apache2 scanned port 1234 on 39 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /tmp/ifconfig scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
Process /usr/sbin/sshd scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
Process /var/tmp/ifconfig scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
Process /var/tmp/ifconfig scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
./ifconfig was downloaded 2 times |
Download File |
A possibly malicious Superuser Operation was detected 18 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 71 times |
Download and Execute |
Process /root/apache2 generated outgoing network traffic to: 1.1.1.1:443, 103.105.12.48:1234, 103.90.177.102:1234, 108.68.207.101:80, 111.106.251.185:80, 111.53.11.130:1234, 116.166.228.184:80, 120.224.34.31:1234, 120.236.78.194:1234, 121.235.193.13:80, 123.132.238.210:1234, 123.216.181.216:80, 123.219.40.243:80, 124.115.231.214:1234, 124.71.244.78:80, 125.202.37.32:80, 130.101.44.16:80, 142.250.191.228:443, 146.176.20.87:80, 150.107.95.20:1234, 155.43.240.233:80, 161.107.113.27:1234, 170.122.82.191:80, 172.64.163.15:443, 173.210.207.29:80, 176.222.175.140:80, 177.138.35.142:80, 184.83.112.246:1234, 185.210.144.122:1234, 190.12.120.30:1234, 190.138.240.233:1234, 191.242.182.210:1234, 191.242.188.103:1234, 195.46.167.38:80, 199.73.182.12:80, 2.13.92.147:80, 202.61.203.229:1234, 205.47.231.163:80, 206.189.25.255:1234, 206.200.105.26:80, 209.216.177.238:1234, 209.85.89.110:80, 211.162.184.120:1234, 213.226.121.39:80, 216.14.173.34:80, 218.146.15.97:1234, 218.157.30.251:80, 218.203.169.247:80, 220.243.148.80:1234, 220.252.123.170:80, 222.100.124.62:1234, 222.165.136.99:1234, 223.171.91.191:1234, 248.108.239.250:80, 252.149.76.118:80, 31.19.237.170:1234, 34.204.138.210:80, 42.215.140.76:80, 45.22.214.151:80, 49.105.64.140:80, 49.233.159.222:1234, 51.75.146.174:443, 54.245.106.44:80, 55.132.110.40:80, 57.137.179.253:80, 58.229.125.66:1234, 60.40.95.158:80, 61.84.162.66:1234, 8.8.4.4:443, 8.8.8.8:443, 84.204.148.99:1234, 92.150.135.247:80, 92.77.213.160:80, 93.176.229.145:1234, 95.154.21.210:1234 and 99.230.1.92:80 |
Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8089 and 8189 |
Listening |
The file /tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 11 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 226 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 31 times |
Download and Execute |
The file /root/ifconfig was downloaded and executed 11 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 182 times |
Download and Execute |
Process /root/apache2 generated outgoing network traffic to: 172.64.162.15:443 |
Outgoing Connection |
/var/tmp/ifconfig was downloaded |
Download File |
The file /var/tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
Process /var/tmp/ifconfig generated outgoing network traffic to: 172.64.163.15:443 |
Outgoing Connection |
Process /root/apache2 scanned port 80 on 39 IP Addresses |
Port 1234 Scan Port 80 Scan |
The file /etc/ifconfig was downloaded and executed 3 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 22 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 434 times |
Download and Execute |
The file /root/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /etc/ifconfig was downloaded and executed 4 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 10 times |
Download and Execute |
Connection was closed due to user inactivity |
|
/var/tmp/ifconfig |
SHA256: 4028880b6d6318bb68703ad18cbc062f79aff02897692265a16c5a1e140a3d20 |
3087196 bytes |
/var/tmp/ifconfig |
SHA256: 4a9baae88afedaad6778862d3978370374aaa0450d27e5782df032f1044995eb |
3105548 bytes |
/var/tmp/apache2 |
SHA256: 85e14a44d44c9f277d7fd8b128ac5fa70250632439574ff61fd7afb5eff7665f |
3088424 bytes |