IP Address: 143.198.133.234Malicious
IP Address: 143.198.133.234Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation SCP Download File Download and Allow Execution Successful SSH Login Download and Execute |
Associated Attack Servers |
3.125.183.25 31.165.5.154 35.174.113.238 59.1.226.211 66.70.154.59 124.223.14.100 172.64.110.32 172.64.111.32 172.64.200.11 172.64.201.11 |
IP Address |
143.198.133.234 |
|
Domain |
- |
|
ISP |
Auto-trol Technology Corporation |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-29 |
Last seen in Akamai Guardicore Segmentation |
2024-06-28 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/bash scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /tmp/apache2 scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /dev/shm/apache2 scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /tmp/apache2 scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 16 IP Addresses |
Port 1234 Scan |
Process /var/tmp/apache2 scanned port 1234 on 16 IP Addresses 2 times |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 16 IP Addresses 2 times |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 3 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded 2 times |
Download File |
A possibly malicious Superuser Operation was detected 20 times |
Superuser Operation |
Process /dev/shm/ifconfig started listening on ports: 1234, 8089 and 8186 |
Listening |
Process /dev/shm/ifconfig generated outgoing network traffic to: 182.224.177.33:1234, 182.92.162.51:1234, 223.223.200.243:1234 and 51.75.146.174:443 |
Outgoing Connection |
Process /dev/shm/apache2 generated outgoing network traffic to: 172.64.200.11:443 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8087 and 8187 |
Listening |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 108 times |
Download and Execute |
Process /tmp/apache2 started listening on ports: 1234, 8081 and 8185 |
Listening |
Process /tmp/apache2 generated outgoing network traffic to: 117.16.44.111:1234, 159.65.242.113:1234 and 51.75.146.174:443 |
Outgoing Connection |
The file /tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 102 times |
Download and Execute |
Process /tmp/apache2 started listening on ports: 1234, 8085 and 8188 |
Listening |
Process /tmp/apache2 generated outgoing network traffic to: 101.35.198.225:1234, 103.105.12.48:1234, 117.16.44.111:1234, 144.22.191.115:1234, 172.64.200.11:443, 172.64.201.11:443 and 66.70.154.59:1234 |
Outgoing Connection |
./ifconfig was downloaded 2 times |
Download File |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 152 times |
Download and Execute |
Process /root/apache2 started listening on ports: 1234, 8082 and 8184 |
Listening |
Process /root/apache2 generated outgoing network traffic to: 172.64.201.11:443 |
Outgoing Connection |
The file /var/tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 118 times |
Download and Execute |
Process /var/tmp/apache2 generated outgoing network traffic to: 102.141.225.244:1234, 172.64.200.11:443 and 85.53.55.133:1234 |
Outgoing Connection |
Process /var/tmp/apache2 started listening on ports: 1234, 8089 and 8189 |
Listening |
The file /var/tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 80 times |
Download and Execute |
Process /var/tmp/apache2 started listening on ports: 1234, 8082 and 8183 |
Listening |
Process /var/tmp/apache2 generated outgoing network traffic to: 172.64.201.11:443 |
Outgoing Connection |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 142 times |
Download and Execute |
Process /root/apache2 started listening on ports: 1234, 8086, 8183 and 8186 |
Listening |
Process /root/apache2 generated outgoing network traffic to: 172.64.200.11:443, 172.64.201.11:443, 5.28.139.161:1234, 58.216.8.121:1234 and 89.212.123.191:1234 |
Outgoing Connection |
System file /etc/ifconfig was modified 9 times |
System File Modification |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 44 times |
Download and Execute |
Process /root/apache2 generated outgoing network traffic to: 172.64.200.11:443 |
Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8082 and 8183 |
Listening |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 93b5387c1ad89b1bba7a1c7ad722d5406dd174e58cd0a1de5a0684e02a83fd33 |
1474560 bytes |
/var/tmp/ifconfig |
SHA256: b3b7551f344bdc4021e89ae74961531531a7dedf23e7b2d0364e21d052271ae2 |
1114112 bytes |