IP Address: 141.98.10.74Malicious
IP Address: 141.98.10.74Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Outgoing Connection HTTP Download Operation SSH Log Tampering 1 Shell Commands SSH Brute Force Download File Download and Allow Execution Access Suspicious Domain DNS Query Successful SSH Login Download and Execute Bulk Files Tampering |
Associated Attack Servers |
5.253.246.139 54.39.248.217 91.189.91.38 91.189.91.39 103.78.180.197 103.78.181.188 103.78.183.137 103.78.214.46 185.125.190.36 185.125.190.39 198.50.242.157 |
IP Address |
141.98.10.74 |
|
Domain |
- |
|
ISP |
UAB Host Baltic |
|
Country |
Lithuania |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-07-01 |
Last seen in Akamai Guardicore Segmentation |
2023-05-31 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / **** - Authentication policy: White List (Part of a Brute Force Attempt) |
Successful SSH Login SSH Brute Force |
A possibly malicious Download Operation was detected 2 times |
Download Operation |
Process /bin/bash attempted to access suspicious domains: apiscontrolm1ln3t.duckdns.org and ip-54-39-248.net |
Access Suspicious Domain DNS Query Outgoing Connection |
Process /bin/bash generated outgoing network traffic to: 54.39.248.217:80 3 times |
Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: ip-54-39-248.net |
Access Suspicious Domain Outgoing Connection |
The file /tmp/0as1d5asf4as5d86 was downloaded and granted execution privileges |
|
The file /tmp/sshd was downloaded and granted execution privileges |
|
Process /usr/bin/wget generated outgoing network traffic to: 54.39.248.217:80 |
Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: ip-54-39-248.net |
Access Suspicious Domain Outgoing Connection |
The file /tmp/0as1d5asf4as5dx64 was downloaded and granted execution privileges |
|
The file /tmp/zekinha was downloaded and executed 21 times |
Download and Execute |
Process /bin/bash attempted to access suspicious domains: ip-54-39-248.net |
Access Suspicious Domain Outgoing Connection |
The file /tmp/bash was downloaded and executed 3 times |
Download and Execute |
Process /tmp/bash generated outgoing network traffic to: 5.253.246.139:443 |
Outgoing Connection |
Process /tmp/bash attempted to access suspicious domains: brasil.gov.br |
Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 54.39.248.217:80 2 times |
Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: ip-54-39-248.net 2 times |
Access Suspicious Domain Outgoing Connection |
/tmp/bash was downloaded |
Download File |
Process /tmp/bash generated outgoing network traffic to: 5.253.246.139:443 |
Outgoing Connection |
Process /tmp/bash attempted to access suspicious domains: brasil.gov.br |
Access Suspicious Domain Outgoing Connection |
The file /tmp/x86 was downloaded and granted execution privileges |
|
Process /bin/bash generated outgoing network traffic to: 54.39.248.217:80 |
Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: ip-54-39-248.net |
Access Suspicious Domain Outgoing Connection |
The file /tmp/x862 was downloaded and granted execution privileges |
Download and Allow Execution |
Process /usr/bin/wget generated outgoing network traffic to: 54.39.248.217:80 |
Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: ip-54-39-248.net |
Access Suspicious Domain Outgoing Connection |
The file /tmp/ulimit.sh was downloaded and granted execution privileges |
Download and Allow Execution |
Process /usr/lib/apt/methods/http attempted to access domains: _http._tcp.archive.ubuntu.com and archive.ubuntu.com |
DNS Query |
Process /usr/lib/apt/methods/http generated outgoing network traffic to: 91.189.91.38:80 |
Outgoing Connection |
The file /usr/share/doc/libtcl8.6 was downloaded and granted execution privileges |
|
The file /usr/share/tcltk was downloaded and granted execution privileges |
Download and Allow Execution |
The file /usr/share/tcltk/tcl8.6.dpkg-new was downloaded and granted execution privileges |
|
The file /usr/share/tcltk/tcl8.6/tcl8.dpkg-new was downloaded and granted execution privileges |
|
The file /usr/share/tcltk/tcl8.6/tcl8/platform.dpkg-new was downloaded and granted execution privileges |
|
The file /usr/share/tcltk/tcl8.6/http1.0.dpkg-new was downloaded and granted execution privileges |
Download and Allow Execution |
The file /usr/share/tcltk/tcl8.6/msgs.dpkg-new was downloaded and granted execution privileges |
|
The file /usr/share/tcltk/tcl8.6/encoding was downloaded and granted execution privileges |
|
The file /usr/share/tcltk/tcl8.6/opt0.4 was downloaded and granted execution privileges |
|
The file /usr/sbin/hping3 was downloaded and granted execution privileges |
Download and Allow Execution |
The file /usr/share/doc/hping3 was downloaded and granted execution privileges |
Download and Allow Execution |
The file /usr/share/doc/hping3/examples was downloaded and granted execution privileges |
|
Process /usr/bin/wget generated outgoing network traffic to: 54.39.248.217:80 2 times |
Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: ip-54-39-248.net 2 times |
Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 54.39.248.217:80 2 times |
Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: ip-54-39-248.net 2 times |
Access Suspicious Domain Outgoing Connection |
/tmp/0as1d5asf4as5dsl was downloaded |
Download File |
Process /bin/bash generated outgoing network traffic to: 54.39.248.217:80 2 times |
Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: ip-54-39-248.net 2 times |
Access Suspicious Domain Outgoing Connection |
/tmp/0as1d5asf4as5dm4 was downloaded |
Download File |
Process /bin/bash generated outgoing network traffic to: 54.39.248.217:80 2 times |
Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: ip-54-39-248.net 2 times |
Access Suspicious Domain Outgoing Connection |
/tmp/0as1d5asf4as5dm5 was downloaded |
Download File |
The file /tmp/0as1d5asf4as5dm6 was downloaded and granted execution privileges |
Download and Allow Execution |
The file /tmp/0as1d5asf4as5dm7 was downloaded and granted execution privileges |
|
Process /bin/bash generated outgoing network traffic to: 54.39.248.217:80 |
Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: ip-54-39-248.net |
Access Suspicious Domain Outgoing Connection |
/tmp/0as1d5asf4as5dpc was downloaded |
Download File |
/tmp/0as1d5asf4as5d8k was downloaded |
Download File |
The file /tmp/0as1d5asf4as5dh4 was downloaded and granted execution privileges |
|
History File Tampering detected from /bin/rm on the following logs: /root/.bash_history |
Log Tampering |
Connection was closed due to timeout |
|
Process /usr/bin/apt-get performed bulk changes in {/usr} on 256 files |
Bulk Files Tampering |
/tmp/0as1d5asf4as5d8k |
SHA256: 9e4bac0e450e3cb38071194fe54cb7f2e27048a0b8b4f576c6995c1ce4a23307 |
34944 bytes |
/tmp/0as1d5asf4as5dm4 |
SHA256: 6c94b5e6e5e94ca107fab10c3fb84b09f4e9984e268b4588246d6820e5a14414 |
37864 bytes |
/tmp/0as1d5asf4as5dm7 |
SHA256: 0538ae1e842d3f168514a3641ed6af070815e5cb660e3396e63885a1082dc637 |
108071 bytes |
/tmp/0as1d5asf4as5dh4 |
SHA256: 548cfb3ebabbb1d44f5ba25235d816b7467383a789fe0cdc54f9b52b37c1d070 |
32696 bytes |
/usr/sbin/hping3 |
SHA256: 9921ddd7a0cb721926ad6aa95adb0f34b1a3e6e901554cde9408f5c3f5fe0dc9 |
165128 bytes |
/tmp/x86 |
SHA256: 505902448c3c57d0f0b0df3a55ef380a580739f5bde1bb5d3a8556128bf62023 |
18480 bytes |
/tmp/0as1d5asf4as5dps |
SHA256: 5a0d7fc1bdff831b71134263d711528a95873f1215edd2472f2280c1e6f5f17f |
46792 bytes |
/tmp/0as1d5asf4as5dpc |
SHA256: d80730b0b2969d5d15daed246c00e40732ade76f5aee5ac180dfb41b7b78083c |
35004 bytes |
/tmp/0as1d5asf4as5dm5 |
SHA256: ac14dd904329b9424086c96516fb94554de4beb0392c43f38865789bd9d88eb4 |
32708 bytes |