IP Address: 157.245.137.18Malicious
IP Address: 157.245.137.18Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation SCP Download File Download and Allow Execution Successful SSH Login Download and Execute |
Associated Attack Servers |
31.14.115.42 66.70.154.59 95.154.21.210 103.90.177.102 123.132.238.210 142.44.160.173 146.56.115.253 161.35.79.199 172.64.110.32 172.64.111.32 172.64.200.11 180.97.211.160 187.6.3.3 206.189.25.255 209.216.177.158 209.216.177.238 218.23.236.23 221.181.232.56 223.171.91.148 |
IP Address |
157.245.137.18 |
|
Domain |
- |
|
ISP |
Datalogic ADC |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-07-14 |
Last seen in Akamai Guardicore Segmentation |
2023-06-16 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 3 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 18 times |
Superuser Operation |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 117 times |
Download and Execute |
Process /tmp/ifconfig scanned port 1234 on 30 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig scanned port 1234 on 30 IP Addresses |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 30 IP Addresses |
Port 1234 Scan |
Process /var/tmp/apache2 scanned port 1234 on 30 IP Addresses 2 times |
Port 1234 Scan |
Process /root/ifconfig scanned port 1234 on 30 IP Addresses |
Port 1234 Scan |
Process /etc/ifconfig scanned port 1234 on 30 IP Addresses |
Port 80 Scan Port 1234 Scan |
Process /etc/ifconfig scanned port 80 on 30 IP Addresses |
Port 80 Scan Port 1234 Scan |
Process /etc/ifconfig scanned port 1234 on 34 IP Addresses |
Port 80 Scan Port 1234 Scan |
Process /tmp/ifconfig started listening on ports: 1234, 8085 and 8180 |
Listening |
Process /tmp/ifconfig generated outgoing network traffic to: 172.64.201.11:443 and 51.75.146.174:443 |
Outgoing Connection |
./ifconfig was downloaded 2 times |
Download File |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
Process /root/ifconfig started listening on ports: 1234, 8082, 8180 and 8186 |
Listening |
The file /root/apache2 was downloaded and executed 59 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 142.250.191.164:443, 172.64.201.11:443, 218.146.15.97:1234 and 51.75.146.174:443 |
Outgoing Connection |
The file /root/apache2 was downloaded and executed 116 times |
Download and Execute |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
Process /root/apache2 started listening on ports: 1234, 8085 and 8183 |
Listening |
Process /root/apache2 generated outgoing network traffic to: 172.64.201.11:443 |
Outgoing Connection |
The file /var/tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 90 times |
Download and Execute |
Process /var/tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 142.250.191.164:443, 172.64.200.11:443 and 51.75.146.174:443 |
Outgoing Connection |
Process /var/tmp/apache2 started listening on ports: 1234, 8087 and 8180 |
Listening |
The file /var/tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 114 times |
Download and Execute |
Process /var/tmp/apache2 started listening on ports: 1234, 8080, 8180 and 8185 |
Listening |
Process /var/tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 103.105.12.48:1234, 142.250.191.164:443, 172.64.201.11:443, 202.61.203.229:1234, 51.75.146.174:443 and 86.133.233.66:1234 |
Outgoing Connection |
The file /root/ifconfig was downloaded and executed 4 times |
Download and Execute |
Process /root/ifconfig started listening on ports: 1234, 8086, 8185 and 8189 |
Listening |
The file /root/apache2 was downloaded and executed 63 times |
Download and Execute |
System file /etc/apache2 was modified 4 times |
System File Modification |
The file /etc/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 2874 times |
Download and Execute |
Process /etc/ifconfig started listening on ports: 1234, 8088 and 8184 |
Listening |
Process /etc/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.220.98.197:1234, 103.152.118.20:1234, 103.90.177.102:1234, 104.233.233.8:80, 111.240.63.128:80, 113.131.216.224:80, 114.249.39.173:80, 116.34.6.213:80, 117.54.14.169:1234, 120.236.78.194:1234, 13.37.101.29:80, 139.209.222.134:1234, 141.16.156.27:80, 142.250.191.164:443, 153.53.95.103:80, 161.35.79.199:1234, 172.77.48.4:80, 173.18.35.41:1234, 177.53.185.39:80, 18.34.10.48:80, 185.210.144.122:1234, 190.138.240.233:1234, 190.60.239.44:1234, 191.2.185.16:80, 191.242.188.103:1234, 196.199.232.121:80, 20.141.185.205:1234, 200.144.245.185:80, 206.124.214.98:80, 217.238.83.226:80, 220.190.2.47:80, 220.243.148.80:1234, 222.134.240.92:1234, 223.171.91.160:1234, 223.63.86.45:80, 223.99.166.104:1234, 24.45.128.45:80, 250.16.169.207:80, 27.196.175.93:80, 30.125.224.2:80, 31.19.237.170:1234, 32.107.87.155:80, 45.143.93.109:80, 45.185.115.107:80, 50.71.190.13:80, 51.159.19.47:1234, 52.131.32.110:1234, 58.229.125.66:1234, 59.59.61.52:80, 62.12.106.5:1234, 64.227.132.175:1234, 72.67.176.55:80, 75.104.195.86:80, 81.110.116.7:80, 81.128.167.211:80, 86.133.233.66:1234, 89.212.123.191:1234, 91.235.157.222:80, 92.130.196.177:80, 94.153.165.43:1234 and 95.53.240.133:80 |
Outgoing Connection |
Process /etc/ifconfig scanned port 80 on 34 IP Addresses |
Port 80 Scan Port 1234 Scan |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 376f8f665f43984bf5aa16524421600b638fc1a7b331e8ac78b60a387fcf8dbb |
2621440 bytes |
/tmp/ifconfig |
SHA256: bf9553be0290bc2603b057d3daa41cbcc7f761941ff5519b7d441abe836ec046 |
2457600 bytes |
/tmp/ifconfig |
SHA256: 1b40245f21f1cb845b7fdf2428315166a8b1d8d5e1e42cd290cd8e479ed61ad7 |
2129920 bytes |
/tmp/ifconfig |
SHA256: 8a80c7f19c03dc2a33a1f698b2bf2acf83fb6fd9f7c78a3a66541327a8bf62d4 |
425984 bytes |
/tmp/ifconfig |
SHA256: 2aacc3f6c14a2bd120ce9f7cab7af1f4d3e207bea33d56f02a14f75613a7930c |
786432 bytes |
/tmp/ifconfig |
SHA256: 861921d16b4f8870dda3d79aecaa828b713b8e41b29ec977aca10c236356144e |
1507328 bytes |
/var/tmp/ifconfig |
SHA256: 6ee5b0eadb32669e495a5d4157119d3a8248235f0b3e21084070fb6bb45ca89e |
950272 bytes |
/tmp/ifconfig |
SHA256: 93b5387c1ad89b1bba7a1c7ad722d5406dd174e58cd0a1de5a0684e02a83fd33 |
1474560 bytes |
/var/tmp/ifconfig |
SHA256: b3b7551f344bdc4021e89ae74961531531a7dedf23e7b2d0364e21d052271ae2 |
1114112 bytes |
/var/tmp/ifconfig |
SHA256: c04b32a7c24533bc14fdd18b6cff3756d284640b23569d19c8e268ece7666b43 |
1540096 bytes |
/tmp/.X25-unix/dota3.tar.gz |
SHA256: 7e2c6956e49361c081c324f00b5a849da6907c758efb908cb8821429fe501607 |
5362207 bytes |