IP Address: 155.248.240.205Previously Malicious
IP Address: 155.248.240.205Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
5.5.8.117 13.132.173.77 18.232.56.248 25.18.178.65 28.88.120.3 31.19.237.170 34.54.173.129 42.192.204.53 45.120.216.114 46.59.135.104 47.112.193.151 49.36.202.128 51.181.196.10 53.169.210.120 64.162.123.117 65.83.65.99 66.228.28.19 74.81.199.37 75.242.135.166 76.243.81.237 77.157.117.186 78.92.170.193 80.232.8.76 81.70.44.138 83.135.103.145 90.154.190.151 95.71.205.141 97.28.215.112 98.56.31.21 98.121.4.228 |
IP Address |
155.248.240.205 |
|
Domain |
- |
|
ISP |
Oracle Public Cloud |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-23 |
Last seen in Akamai Guardicore Segmentation |
2022-03-29 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
./ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
Process /root/apache2 scanned port 22 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 22 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 80 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
The file /root/apache2 was downloaded and executed 195 times |
Download and Execute |
Process /root/apache2 generated outgoing network traffic to: 100.79.105.241:80, 100.79.105.241:8080, 100.90.124.132:2222, 101.35.250.231:1234, 104.21.25.86:443, 105.153.230.2:80, 105.153.230.2:8080, 105.241.239.93:80, 105.241.239.93:8080, 107.220.20.59:80, 107.220.20.59:8080, 109.232.126.44:80, 109.232.126.44:8080, 109.47.44.97:80, 109.47.44.97:8080, 110.68.135.202:2222, 112.238.222.177:80, 112.238.222.177:8080, 12.23.46.220:1234, 120.236.74.234:1234, 120.61.69.189:80, 120.61.69.189:8080, 122.175.75.13:80, 122.175.75.13:8080, 128.24.1.128:22, 130.69.167.91:80, 130.69.167.91:8080, 133.154.99.150:80, 133.154.99.150:8080, 136.48.130.151:80, 136.48.130.151:8080, 136.55.104.171:2222, 142.86.148.57:80, 142.86.148.57:8080, 15.141.46.64:80, 15.141.46.64:8080, 157.130.207.26:1234, 167.213.138.146:80, 167.213.138.146:8080, 17.89.53.160:80, 17.89.53.160:8080, 172.67.133.228:443, 18.63.196.30:2222, 20.121.120.137:22, 202.17.80.251:22, 210.127.231.171:2222, 214.91.155.55:80, 214.91.155.55:8080, 220.199.114.244:22, 24.8.126.51:80, 24.8.126.51:8080, 240.194.220.125:22, 241.104.15.219:80, 241.104.15.219:8080, 242.67.69.40:80, 242.67.69.40:8080, 248.208.183.3:22, 25.85.208.188:80, 25.85.208.188:8080, 252.2.25.176:80, 252.2.25.176:8080, 35.182.195.4:80, 35.182.195.4:8080, 38.131.161.202:80, 38.131.161.202:8080, 43.210.75.28:80, 43.210.75.28:8080, 45.46.47.107:80, 45.46.47.107:8080, 47.93.228.251:1234, 48.108.64.234:2222, 49.52.154.54:80, 49.52.154.54:8080, 5.232.184.188:22, 51.75.146.174:443, 64.117.176.180:2222, 66.80.67.176:80, 66.80.67.176:8080, 69.82.40.135:80, 69.82.40.135:8080, 69.92.33.112:22, 89.85.195.75:80, 89.85.195.75:8080, 91.80.135.179:1234, 95.105.28.44:22, 98.25.73.209:80, 98.25.73.209:8080, 98.27.204.165:80 and 98.27.204.165:8080 |
Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8088 and 8185 |
Listening |
Process /root/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 attempted to access suspicious domains: alter.net |
Access Suspicious Domain Outgoing Connection |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 11 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 35 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 16 times |
Download and Execute |
The file /root/php-fpm was downloaded and granted execution privileges |
Download and Allow Execution |
Connection was closed due to timeout |
|