IP Address: 142.167.57.55Previously Malicious
IP Address: 142.167.57.55Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation Successful SSH Login Download and Execute Download and Allow Execution |
Associated Attack Servers |
28.176.68.111 37.120.24.181 42.231.28.11 42.231.29.28 42.231.30.127 50.178.80.178 94.159.213.141 101.43.152.105 103.120.140.6 110.240.44.208 114.200.15.12 161.70.98.32 186.29.218.54 186.250.45.150 223.182.94.199 243.216.185.9 249.127.183.86 |
IP Address |
142.167.57.55 |
|
Domain |
- |
|
ISP |
Bell Aliant |
|
Country |
Canada |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-07 |
Last seen in Akamai Guardicore Segmentation |
2022-04-11 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 207 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.104.138.144:80, 101.104.138.144:8080, 104.21.25.86:443, 104.9.171.248:80, 104.9.171.248:8080, 106.52.252.228:1234, 108.9.46.177:80, 108.9.46.177:8080, 114.201.6.62:80, 114.201.6.62:8080, 114.201.6.62:8090, 115.163.190.16:2222, 134.122.248.77:80, 134.122.248.77:8080, 137.237.167.63:80, 137.237.167.63:8080, 137.238.116.11:80, 137.238.116.11:8080, 14.60.27.101:80, 14.60.27.101:8080, 14.60.27.101:8090, 142.202.120.203:80, 142.202.120.203:8080, 142.251.32.4:443, 143.84.12.228:80, 143.84.12.228:8080, 146.56.115.54:1234, 146.56.115.54:2222, 153.53.12.200:80, 153.53.12.200:8080, 154.108.113.197:80, 154.108.113.197:8080, 166.40.47.241:80, 166.40.47.241:8080, 17.202.11.168:2222, 176.109.219.178:80, 176.109.219.178:8080, 184.217.9.191:80, 184.217.9.191:8080, 187.103.240.31:1234, 19.32.169.205:80, 19.32.169.205:8080, 212.190.6.220:80, 212.190.6.220:8080, 212.78.166.140:1234, 215.199.198.152:22, 22.165.138.91:2222, 221.26.5.250:22, 223.12.134.135:80, 223.12.134.135:8080, 246.192.188.216:80, 246.192.188.216:8080, 248.51.204.202:80, 248.51.204.202:8080, 251.31.27.149:22, 30.152.57.146:22, 36.215.111.44:80, 36.215.111.44:8080, 39.175.68.100:1234, 42.211.211.132:80, 42.211.211.132:8080, 46.13.164.29:1234, 47.98.33.30:80, 47.98.33.30:8080, 51.75.146.174:443, 52.135.100.169:80, 52.135.100.169:8080, 62.68.156.6:80, 62.68.156.6:8080, 64.239.152.3:80, 64.239.152.3:8080, 65.27.66.37:80, 65.27.66.37:8080, 70.132.52.244:80, 70.132.52.244:8080, 77.142.211.154:80, 77.142.211.154:8080, 8.152.205.78:80, 8.152.205.78:8080, 8.8.8.8:443, 81.70.21.147:1234, 90.70.101.39:80, 90.70.101.39:8080, 99.250.58.138:80 and 99.250.58.138:8080 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8087 and 8180 |
Listening |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 attempted to access suspicious domains: adyl.net.br, bbtec.net and tmcz.cz |
Access Suspicious Domain Outgoing Connection |
The file /tmp/php-fpm was downloaded and executed 34 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 6 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 23 times |
Download and Execute |
Connection was closed due to timeout |
|