IP Address: 159.75.54.90Previously Malicious
IP Address: 159.75.54.90Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
|
Role |
Attacker, Scanner |
|
Services Targeted |
SCP SSH |
|
Tags |
Port 1234 Scan SSH 7 Shell Commands Listening SCP Port 80 Scan Port 8080 Scan Superuser Operation Outgoing Connection Successful SSH Login Download and Execute Download File |
|
Associated Attack Servers |
59.3.186.45 93.19.55.209 95.154.21.210 98.191.178.139 106.242.134.9 118.41.204.72 118.218.209.149 120.224.34.31 123.132.238.210 124.223.14.100 125.160.115.47 147.135.86.105 147.182.233.56 161.35.79.199 161.70.98.32 162.159.137.232 172.64.110.32 172.64.111.32 172.64.200.11 172.64.201.11 191.242.188.103 206.18.191.74 206.189.25.255 209.216.177.158 218.146.15.97 222.103.98.58 |
|
IP Address |
159.75.54.90 |
|
|
Domain |
- |
|
|
ISP |
Tencent Cloud Computing (Beijing) Co. |
|
|
Country |
China |
|
|
WHOIS |
Created Date |
- |
|
Updated Date |
- |
|
|
Organization |
- |
|
|
First seen in Akamai Guardicore Segmentation |
2022-05-07 |
|
Last seen in Akamai Guardicore Segmentation |
2022-10-25 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
|
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
|
Process /tmp/apache2 scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /tmp/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /tmp/apache2 scanned port 1234 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /tmp/apache2 scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /tmp/apache2 scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /bin/bash scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
|
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
|
/dev/shm/ifconfig was downloaded |
Download File |
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 3 times |
Successful SSH Login |
|
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
|
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
|
The file /tmp/apache2 was downloaded and executed 159 times |
Download and Execute |
|
Process /tmp/apache2 generated outgoing network traffic to: 101.42.90.177:1234, 103.152.118.20:1234, 103.224.32.124:80, 103.224.32.124:8080, 104.21.75.20:443, 117.80.212.33:1234, 118.218.209.149:1234, 120.224.34.31:1234, 123.132.238.210:1234, 124.223.14.100:1234, 124.73.155.172:80, 124.73.155.172:8080, 129.160.187.6:80, 129.160.187.6:8080, 130.14.85.20:80, 130.14.85.20:8080, 138.232.156.178:80, 138.232.156.178:8080, 14.37.140.176:80, 14.37.140.176:8080, 160.187.41.231:80, 160.187.41.231:8080, 161.35.79.199:1234, 162.122.19.33:80, 164.64.85.18:80, 165.216.47.220:80, 165.216.47.220:8080, 171.67.87.159:80, 171.67.87.159:8080, 172.67.210.60:443, 176.96.172.69:80, 176.96.172.69:8080, 177.26.88.122:80, 177.26.88.122:8080, 182.224.177.56:1234, 183.213.26.13:1234, 184.83.112.246:1234, 187.55.70.120:80, 187.55.70.120:8080, 189.200.32.55:80, 189.200.32.55:8080, 19.150.252.38:80, 19.150.252.38:8080, 191.242.182.210:1234, 193.166.220.155:80, 193.166.220.155:8080, 199.71.15.94:80, 199.71.15.94:8080, 208.197.55.46:80, 209.216.177.158:1234, 211.162.184.120:1234, 216.176.88.65:80, 216.176.88.65:8080, 222.103.98.58:1234, 222.134.240.91:1234, 222.165.136.99:1234, 223.141.244.83:80, 223.141.244.83:8080, 223.171.91.127:1234, 223.171.91.160:1234, 32.230.49.248:80, 32.230.49.248:8080, 37.189.33.143:80, 37.189.33.143:8080, 43.242.247.139:1234, 45.110.173.167:80, 49.54.172.179:80, 49.54.172.179:8080, 5.120.131.58:80, 5.120.131.58:8080, 51.75.146.174:443, 52.131.32.110:1234, 56.229.98.78:80, 56.229.98.78:8080, 67.218.169.184:80, 67.218.169.184:8080, 72.85.158.162:80, 72.85.158.162:8080, 80.147.162.151:1234, 84.204.148.99:1234, 86.133.233.66:1234, 86.208.187.155:80, 86.208.187.155:8080, 9.36.185.50:80, 9.36.185.50:8080, 90.127.38.5:80 and 90.127.38.5:8080 |
Outgoing Connection |
|
Process /tmp/apache2 started listening on ports: 1234, 8081 and 8188 |
Listening |
|
Process /tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /tmp/apache2 scanned port 80 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /tmp/apache2 scanned port 8080 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
|
Process /usr/local/mysql/bin/mysqld started listening on ports: 3306 2 times |
Listening |
|
Connection was closed due to timeout |
|
|
/var/tmp/ifconfig |
SHA256: 003fc3b1c6259d744b011cde32a47e8cb0b00708ebec1465839b9c14279bc70b |
262144 bytes |
|
/var/tmp/ifconfig |
SHA256: 1b40245f21f1cb845b7fdf2428315166a8b1d8d5e1e42cd290cd8e479ed61ad7 |
2129920 bytes |
|
/var/tmp/ifconfig |
SHA256: 2aacc3f6c14a2bd120ce9f7cab7af1f4d3e207bea33d56f02a14f75613a7930c |
786432 bytes |
|
/var/tmp/ifconfig |
SHA256: 2fd96aa6470f930f543ef665fcc62ffa4dfe6646b8f506c11b452a191800285b |
2392064 bytes |
|
/var/tmp/ifconfig |
SHA256: 331f1ead3df8fed58ccf68da781f34b2f228a5c37f3bb245b836a4b49b1cf269 |
557056 bytes |
|
/var/tmp/ifconfig |
SHA256: 8a80c7f19c03dc2a33a1f698b2bf2acf83fb6fd9f7c78a3a66541327a8bf62d4 |
425984 bytes |
|
/var/tmp/ifconfig |
SHA256: 9516639b92dfb73072de6c5220e3ee130547680b8870c9288eccd928de847e35 |
2883584 bytes |
|
/root/ifconfig |
SHA256: b2712bdabd192560eb201c14818ff1368c742242fee50fb164ef9f84142462fc |
2031616 bytes |
© 2023 Akamai Technologies