IP Address: 144.48.170.204Previously Malicious
IP Address: 144.48.170.204Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP |
Tags |
Outgoing Connection SSH Superuser Operation SCP 4 Shell Commands Download File Access Suspicious Domain Port 80 Scan Listening Successful SSH Login Port 1234 Scan |
Associated Attack Servers |
34.116.189.40 41.207.248.204 50.192.233.138 59.145.216.50 103.172.10.78 123.212.0.131 148.71.35.230 172.64.200.11 182.16.160.53 198.58.125.228 |
IP Address |
144.48.170.204 |
|
Domain |
- |
|
ISP |
Apex Netcom India Pvt. |
|
Country |
India |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2017-07-05 |
Last seen in Akamai Guardicore Segmentation |
2022-10-27 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /dev/shm/ifconfig scanned port 1234 on 17 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 63 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /dev/shm/ifconfig scanned port 80 on 17 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /usr/sbin/sshd scanned port 1234 on 17 IP Addresses 2 times |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig started listening on ports: 1234, 8085 and 8184 |
Listening |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.171.168.64:80, 102.141.225.238:1234, 103.141.246.254:1234, 103.172.10.78:80, 103.172.10.78:8080, 104.63.175.167:80, 106.76.124.219:80, 112.11.3.174:80, 112.98.26.223:80, 115.200.170.202:80, 115.200.170.58:80, 115.200.178.7:80, 118.104.167.38:80, 118.41.204.72:1234, 120.224.143.251:1234, 120.236.69.162:1234, 120.236.74.234:1234, 123.212.0.131:80, 123.212.0.131:8080, 129.221.229.188:80, 13.36.151.196:1234, 139.39.226.197:80, 142.250.191.196:443, 144.48.170.204:80, 144.48.170.204:8080, 15.13.113.247:80, 155.171.156.190:80, 159.130.170.120:80, 167.177.220.140:80, 168.229.229.213:80, 169.254.1.1:80, 169.254.195.167:80, 170.196.61.251:80, 171.224.135.98:80, 171.36.78.130:80, 172.13.148.230:80, 172.64.200.11:443, 173.18.35.41:1234, 178.140.136.178:1234, 181.232.250.39:80, 182.16.160.53:80, 182.16.160.53:8080, 183.100.80.107:80, 187.252.227.94:80, 188.147.168.125:80, 189.215.83.98:80, 189.215.84.218:80, 195.7.205.134:80, 198.58.125.228:443, 198.58.125.228:80, 198.58.125.228:8080, 20.56.195.26:1234, 200.239.4.143:80, 203.120.197.69:80, 21.179.128.131:80, 212.100.248.2:80, 223.171.91.149:1234, 223.171.91.161:1234, 244.177.12.253:80, 249.203.206.152:80, 249.30.189.203:80, 26.142.218.236:80, 26.250.136.75:80, 28.102.112.144:80, 3.96.149.202:80, 30.208.52.41:80, 30.222.24.86:80, 31.165.5.155:1234, 34.116.189.40:80, 34.116.189.40:8080, 35.163.174.127:80, 37.55.168.167:80, 40.41.163.249:80, 41.207.248.204:80, 41.207.248.204:8080, 43.53.33.164:80, 50.166.8.5:80, 50.192.233.138:80, 50.192.233.138:8080, 51.143.75.87:80, 51.75.146.174:443, 52.53.154.233:80, 58.216.8.121:1234, 59.145.216.50:80, 59.145.216.50:8080, 62.62.128.5:80, 73.81.206.72:80, 74.179.216.64:80, 76.184.141.93:80, 8.8.4.4:443, 8.8.8.8:443, 91.148.129.240:80 and 95.91.13.119:1234 |
Outgoing Connection |
Process /dev/shm/ifconfig scanned port 80 on 63 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: comcastbusiness.net, googleusercontent.com, iforte.net.id and n11.dev |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|