IP Address: 145.40.73.31Previously Malicious
IP Address: 145.40.73.31Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH SCP Superuser Operation Download File Download and Allow Execution Successful SSH Login Download and Execute |
Associated Attack Servers |
3.125.183.25 35.165.157.76 35.236.89.215 40.87.11.253 59.145.216.50 93.183.167.152 128.8.238.39 147.182.233.56 172.64.200.11 172.64.201.11 173.230.153.163 182.16.160.129 188.93.232.104 191.96.34.2 209.216.177.158 213.255.16.156 |
IP Address |
145.40.73.31 |
|
Domain |
- |
|
ISP |
SURFnet |
|
Country |
Netherlands |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-10-30 |
Last seen in Akamai Guardicore Segmentation |
2022-10-31 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/var/tmp/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /var/tmp/apache2 was downloaded and executed 1288 times |
Download and Execute |
Process /var/tmp/apache2 scanned port 1234 on 19 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /var/tmp/apache2 scanned port 1234 on 53 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /var/tmp/apache2 scanned port 80 on 19 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /bin/bash scanned port 1234 on 19 IP Addresses |
Port 1234 Scan |
Process /var/tmp/apache2 started listening on ports: 1234, 8081 and 8187 |
Listening |
Process /var/tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.35.232.15:1234, 101.43.224.103:80, 101.43.224.103:8080, 102.141.225.244:1234, 115.200.169.138:80, 115.200.169.154:80, 115.200.169.175:80, 115.200.169.2:80, 115.200.170.126:80, 115.200.170.154:80, 115.200.170.15:80, 115.200.170.35:80, 115.200.170.58:80, 115.200.170.99:80, 115.200.181.104:80, 115.200.181.125:80, 115.200.181.127:80, 115.200.181.176:80, 115.200.181.181:80, 115.200.181.230:80, 121.199.57.14:1234, 128.8.238.42:80, 13.208.45.239:80, 13.245.89.211:80, 13.50.16.84:80, 13.50.16.84:8080, 13.56.181.122:80, 142.250.191.196:443, 147.182.233.56:1234, 147.182.233.56:2222, 148.71.35.230:1234, 149.129.232.50:80, 149.129.232.50:8080, 163.123.181.132:1234, 169.254.1.241:80, 169.254.1.243:80, 169.254.85.1:1234, 171.224.135.98:80, 172.64.200.11:443, 173.18.35.41:1234, 18.169.238.234:80, 189.238.134.44:80, 189.78.63.204:80, 190.216.117.44:443, 190.216.117.44:80, 190.216.117.44:8080, 192.10.49.116:80, 195.87.73.208:1234, 199.34.22.110:1234, 201.160.166.229:80, 201.173.39.121:80, 202.61.203.229:1234, 209.9.155.180:80, 212.235.185.14:80, 212.235.185.14:8080, 217.66.20.140:80, 217.85.239.81:1234, 243.53.79.129:80, 247.37.49.148:80, 253.203.251.97:80, 3.96.149.185:80, 34.245.47.213:80, 34.85.186.96:80, 34.85.186.96:8080, 35.165.157.76:80, 35.165.157.76:8080, 35.174.113.238:80, 35.174.113.238:8080, 36.112.152.152:1234, 45.168.133.250:80, 45.168.133.250:8080, 45.236.200.29:80, 49.233.159.222:80, 50.174.145.58:80, 51.75.146.174:443, 59.1.226.211:1234, 62.195.2.68:1234, 68.111.211.18:80, 8.8.8.8:443, 80.147.162.151:1234, 81.42.96.12:80, 83.186.219.249:80, 85.51.217.156:1234, 9.47.232.167:80 and 91.148.129.240:80 |
Outgoing Connection |
Process /var/tmp/apache2 scanned port 80 on 53 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /var/tmp/apache2 attempted to access suspicious domains: centurylink.com.ar and googleusercontent.com |
Access Suspicious Domain Outgoing Connection |
The file /tmp/libexec was downloaded and executed 4 times |
Download and Execute |
Connection was closed due to timeout |
|