IP Address: 140.75.154.157Previously Malicious
IP Address: 140.75.154.157Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Superuser Operation SCP Download and Execute Successful SSH Login SSH Download File Download and Allow Execution |
Associated Attack Servers |
2.125.211.167 15.228.9.24 20.175.248.126 22.118.125.171 31.71.55.129 45.120.216.114 47.114.230.236 53.46.46.116 57.89.119.22 80.147.162.151 81.232.181.171 84.187.214.248 91.150.143.36 94.23.211.110 103.90.177.102 104.224.225.67 105.141.15.106 108.82.40.128 110.242.92.141 115.107.184.24 120.138.186.182 129.152.6.35 132.33.28.253 136.61.211.87 139.148.27.150 166.154.174.140 175.98.45.240 177.63.48.20 177.229.221.204 |
IP Address |
140.75.154.157 |
|
Domain |
- |
|
ISP |
China Telecom Shandong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-19 |
Last seen in Akamai Guardicore Segmentation |
2022-03-20 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /var/tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 195 times |
Download and Execute |
Process /var/tmp/ifconfig generated outgoing network traffic to: 104.173.197.23:80, 104.173.197.23:8080, 108.138.7.52:80, 11.243.28.201:2222, 111.145.141.92:80, 111.145.141.92:8080, 119.248.84.225:80, 119.248.84.225:8080, 122.172.17.245:80, 122.172.17.245:8080, 132.109.161.184:80, 132.109.161.184:8080, 136.233.197.68:2222, 14.237.180.252:80, 14.237.180.252:8080, 14.38.26.235:80, 14.38.26.235:8080, 142.132.192.126:22, 144.70.110.39:80, 144.70.110.39:8080, 146.2.77.230:80, 146.2.77.230:8080, 150.107.95.20:1234, 155.190.172.109:2222, 161.39.226.7:2222, 166.156.19.12:80, 166.156.19.12:8080, 175.98.45.240:1234, 18.21.253.131:2222, 184.151.155.145:22, 190.10.174.2:2222, 194.213.223.242:80, 194.213.223.242:8080, 199.156.176.151:80, 199.156.176.151:8080, 199.30.63.245:80, 199.30.63.245:8080, 204.164.248.37:22, 204.26.140.51:80, 204.26.140.51:8080, 206.12.89.150:80, 206.12.89.150:8080, 207.25.192.14:2222, 212.57.36.20:1234, 215.100.230.214:80, 215.100.230.214:8080, 216.87.130.134:80, 216.87.130.134:8080, 217.23.158.174:1234, 217.237.55.143:80, 217.237.55.143:8080, 221.10.244.122:80, 221.10.244.122:8080, 221.130.68.73:80, 221.130.68.73:8080, 242.52.167.128:80, 242.52.167.128:8080, 242.91.51.66:2222, 249.161.124.8:2222, 3.131.153.27:80, 3.131.153.27:8080, 30.157.17.155:80, 30.157.17.155:8080, 32.146.89.154:80, 32.146.89.154:8080, 35.188.21.56:80, 35.188.21.56:8080, 35.244.250.154:22, 37.139.225.177:22, 4.63.136.120:22, 40.3.112.81:80, 40.3.112.81:8080, 43.242.247.139:1234, 43.70.169.61:80, 43.70.169.61:8080, 46.35.3.50:80, 46.35.3.50:8080, 47.112.205.162:1234, 48.188.116.156:80, 48.188.116.156:8080, 48.196.37.50:80, 48.196.37.50:8080, 52.211.69.137:2222, 54.176.172.47:1234, 62.109.114.74:80, 62.109.114.74:8080, 74.211.136.20:22, 93.106.4.227:80 and 93.106.4.227:8080 |
Outgoing Connection |
Process /var/tmp/ifconfig started listening on ports: 1234, 8080 and 8188 |
Listening |
Process /var/tmp/ifconfig scanned port 80 on 33 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 80 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 8080 on 33 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 2222 on 33 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig attempted to access suspicious domains: googleusercontent.com and tfn.net.tw |
Access Suspicious Domain Outgoing Connection |
Process /var/tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 8080 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 2222 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
The file /usr/local/bin/dash was downloaded and executed 2 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 13 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 20 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and granted execution privileges |
Download and Allow Execution |
Connection was closed due to timeout |
|