IP Address: 159.203.90.161Malicious
IP Address: 159.203.90.161Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH SCP |
Tags |
System File Modification Download Operation HTTP Outgoing Connection SSH Brute Force 2 Shell Commands Access Suspicious Domain Download and Execute Successful SSH Login Log Tampering SSH Download File Download and Allow Execution |
Associated Attack Servers |
157.230.39.120 178.128.173.238 178.128.158.153 46.101.1.131 182.74.79.227 167.71.239.181 142.93.127.16 |
IP Address |
159.203.90.161 |
|
Domain |
- |
|
ISP |
Digital Ocean |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2019-05-05 |
Last seen in Akamai Guardicore Segmentation |
2023-10-19 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ********* - Authentication policy: White List (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
A possibly malicious Download Operation was detected 4 times |
Download Operation |
History File Tampering detected from /bin/bash |
Log Tampering |
Process /bin/bash generated outgoing network traffic to: 178.128.158.153:80 |
Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: archworks.com.br |
Outgoing Connection Access Suspicious Domain |
The file /tmp/xfly was downloaded and granted execution privileges |
Download and Allow Execution |
The file /tmp/x was downloaded and granted execution privileges |
|
/tmp/.fr/scX.tgz was downloaded |
Download File |
The file /tmp/.fr/.sc/sedQsD8VF was downloaded and granted execution privileges |
|
The file /tmp/.fr/.sc/sedFhNwFI was downloaded and granted execution privileges |
|
The file /tmp/.fr/.sc/run2 was downloaded and granted execution privileges |
Download and Allow Execution |
The file /tmp/.fr/.sc/sedMSqJVO was downloaded and granted execution privileges |
Download and Allow Execution |
The file /tmp/.fr/.sc/sedygTDqO was downloaded and granted execution privileges |
|
A user logged in using SSH with the following credentials: root / ********* - Authentication policy: Correct Password (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
Process /usr/bin/wget generated outgoing network traffic to: 142.93.127.16:80 |
Outgoing Connection |
The file /tmp/.fr/.sc/b was downloaded and executed 126 times |
Download and Execute |
The file /tmp/.fr/.sc/xm64_linux was downloaded and executed 7 times |
Download and Execute |
The file /tmp/.fr/.sc/h64 was downloaded and executed |
Download and Execute |
System file /etc/ld.so.preload was modified 4 times |
System File Modification |
/tmp/px.txt was downloaded |
Download File |
Process /usr/bin/perl generated outgoing network traffic to: 182.74.79.227:3389 |
Outgoing Connection |
Process /usr/local/bin/dash generated outgoing network traffic to: 178.128.158.153:80 |
Outgoing Connection |
Process /usr/local/bin/dash attempted to access suspicious domains: archworks.com.br |
Outgoing Connection Access Suspicious Domain |
/ts.tgz was downloaded |
Download File |
Connection was closed due to user inactivity |
|
/tmp/.sc/sn |
SHA256: 137d5cc81137a9490a0a9cdf487ad91c9b3214828e418d69ae081698d4aaa69a |
963697 bytes |
/tmp/scX.tgz |
SHA256: 32f989ff3221451a6e5c578d2770df8c1c36a1d3bfdd959fa0f77c92cee68f9d |
8214506 bytes |
/tmp/.fr/scL.tgz |
SHA256: 586cf1876c4ae6c708f94b1f1e2b6e254f1abedc8082d2b8514f442eeb4157f5 |
2132558 bytes |
/tmp/pax.txt |
SHA256: 851eca767fbe3ac667657717a4abd2e9f7e86db9386f52f65ae4453cb618e913 |
1036 bytes |
/tmp/pax.txt |
SHA256: b3b1275f5ee8401efd35ecbc55ad25fee7e943ff3c37fadc2d0e0dc33b832cc3 |
37742 bytes |
/tmp/pax.txt |
SHA256: b698cd03fd5fba64c95e8224635fc80a3729106f744cfce67f97ba9e9558e17c |
7416 bytes |
/tmp/px.txt |
SHA256: c1c8062c4618811c198e187e974d7d4be784088ff9e9accacc045804a98a4ada |
13168 bytes |