IP Address: 157.0.93.203Previously Malicious
IP Address: 157.0.93.203Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
attdns.com cultimording.org.uk digimobil.es gvt.net.br innovatelekom.com panda-world.ne.jp pkje32x1.cn tigo.com.co triple-it.nl 5.50.107.8 9.252.138.172 28.61.248.156 36.84.63.238 37.102.231.211 41.228.22.107 42.231.28.11 43.252.220.75 45.83.9.228 55.82.100.57 58.221.44.158 59.108.161.109 61.207.133.158 69.83.119.41 70.224.199.125 79.116.86.147 79.149.27.83 81.70.246.81 83.204.196.137 87.243.69.99 90.229.16.93 93.187.12.25 94.23.211.110 101.43.3.32 103.141.246.254 105.225.204.42 106.165.2.51 106.196.104.133 110.40.169.154 113.56.134.60 |
IP Address |
157.0.93.203 |
|
Domain |
- |
|
ISP |
China Unicom Liaoning |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-24 |
Last seen in Akamai Guardicore Segmentation |
2022-03-29 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /var/tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 190 times |
Download and Execute |
Process /var/tmp/ifconfig generated outgoing network traffic to: 101.195.151.198:80, 101.195.151.198:8080, 101.43.152.105:1234, 102.159.196.100:2222, 102.218.217.179:80, 102.218.217.179:8080, 104.21.25.86:443, 105.222.134.246:80, 105.222.134.246:8080, 113.118.24.168:1234, 113.206.247.53:80, 113.206.247.53:8080, 115.229.126.59:80, 115.229.126.59:8080, 117.18.66.166:22, 118.133.88.5:2222, 12.153.109.95:80, 12.153.109.95:8080, 120.35.85.59:2222, 123.12.185.121:1234, 123.183.35.253:80, 123.183.35.253:8080, 123.85.7.13:80, 123.85.7.13:8080, 126.227.37.120:2222, 138.115.208.224:80, 138.115.208.224:8080, 143.95.137.206:80, 143.95.137.206:8080, 149.148.69.24:80, 149.148.69.24:8080, 15.84.112.87:80, 15.84.112.87:8080, 154.219.51.190:80, 154.219.51.190:8080, 162.118.250.5:80, 162.118.250.5:8080, 165.100.179.134:2222, 165.26.250.161:80, 165.26.250.161:8080, 172.67.133.228:443, 175.210.206.27:22, 175.245.149.161:80, 175.245.149.161:8080, 178.58.39.97:80, 178.58.39.97:8080, 180.38.139.206:80, 180.38.139.206:8080, 182.224.177.56:1234, 183.29.174.68:2222, 192.18.139.106:1234, 195.90.209.86:1234, 20.23.184.177:80, 20.23.184.177:8080, 206.143.208.218:2222, 21.188.140.103:80, 21.188.140.103:8080, 211.140.47.22:80, 211.140.47.22:8080, 211.6.156.20:2222, 242.73.154.226:22, 244.11.12.231:80, 244.11.12.231:8080, 247.21.209.45:80, 247.21.209.45:8080, 3.82.70.243:80, 3.82.70.243:8080, 36.57.41.112:80, 36.57.41.112:8080, 38.216.42.4:80, 38.216.42.4:8080, 45.120.216.114:1234, 5.52.44.233:2222, 51.208.169.111:2222, 51.75.146.174:443, 52.223.203.205:22, 61.207.152.227:80, 61.207.152.227:8080, 66.143.191.116:80, 66.143.191.116:8080, 67.130.15.228:22, 71.154.229.211:80, 71.154.229.211:8080, 8.162.88.75:80, 8.162.88.75:8080, 93.180.91.197:80, 93.180.91.197:8080, 98.106.226.196:80 and 98.106.226.196:8080 |
Outgoing Connection |
Process /var/tmp/ifconfig attempted to access suspicious domains: 1blu.de, adsl, as4646.net and qwest.net |
Access Suspicious Domain Outgoing Connection |
Process /var/tmp/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 80 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 2222 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 8080 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/ifconfig scanned port 2222 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 16 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 26 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 24 times |
Download and Execute |
Connection was closed due to timeout |
|