IP Address: 162.212.157.185Previously Malicious
IP Address: 162.212.157.185Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Successful SSH Login Executable File Modification Scheduled Task Creation New SSH Key Port 22 Scan Service Configuration Outgoing Connection DNS Query 8 Shell Commands Listening Port 2222 Scan SSH SCP System File Modification Download and Allow Execution Download and Execute Download File |
Associated Attack Servers |
109.129.49.116 122.51.21.126 141.95.206.77 158.10.139.123 206.150.24.224 |
IP Address |
162.212.157.185 |
|
Domain |
- |
|
ISP |
tzulo |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-07-14 |
Last seen in Akamai Guardicore Segmentation |
2022-07-23 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/usr/.work//.bash_history was downloaded |
Download File |
/usr/.work//.bashrc was downloaded |
Download File |
/usr/.work//work64 was downloaded |
Download File |
The file /usr/.work/work64 was downloaded and executed 61 times |
Download and Execute |
Process /usr/.work/work64 started listening on ports: 14747, 8000 and 8016 |
Listening |
Executable file /usr/bin/wget1 was modified |
Executable File Modification |
The file /tmp/xmr was downloaded and executed 6 times |
Download and Execute |
System file /etc/rc.local was modified |
System File Modification |
System file /etc/crontab was modified |
System File Modification |
Process /tmp/xmr generated outgoing network traffic to: 141.95.206.77:6666 |
Outgoing Connection |
Process /usr/.work/work64 generated outgoing network traffic to: 10.33.0.137:22, 10.33.0.137:2222, 10.33.0.191:22, 10.33.0.191:2222, 107.12.215.19:22, 107.12.215.19:2222, 107.143.91.106:22, 107.143.91.106:2222, 109.129.49.116:8022, 115.170.225.131:22, 115.170.225.131:2222, 122.51.21.126:2002, 122.51.21.126:2022, 122.51.21.126:222, 122.51.21.126:22222, 122.51.21.126:2223, 122.51.21.126:23, 122.51.21.126:2323, 122.51.21.126:2382, 122.51.21.126:26, 122.51.21.126:3389, 122.51.21.126:4118, 122.51.21.126:443, 122.51.21.126:444, 122.51.21.126:50000, 122.51.21.126:5555, 122.51.21.126:55554, 122.51.21.126:6000, 122.51.21.126:666, 122.51.21.126:7777, 122.51.21.126:8022, 122.51.21.126:830, 122.51.21.126:8888, 122.51.21.126:9000, 122.51.21.126:9090, 122.51.21.126:9999, 124.50.107.61:22, 124.50.107.61:2222, 126.12.230.236:22, 126.12.230.236:2222, 153.17.120.55:22, 153.17.120.55:2222, 155.34.216.111:22, 155.34.216.111:2222, 158.10.139.123:22, 158.10.139.123:2222, 158.10.139.123:22222, 158.10.139.123:2223, 158.10.139.123:3389, 158.10.139.123:443, 158.10.139.123:55554, 158.10.139.123:8022, 158.10.139.123:8888, 158.10.139.123:9000, 158.10.139.123:9090, 16.27.249.218:22, 16.27.249.218:2222, 162.15.151.38:22, 162.15.151.38:2222, 163.13.243.144:22, 163.13.243.144:2222, 167.129.163.222:22, 167.129.163.222:2222, 176.10.7.23:22, 176.10.7.23:2222, 188.164.54.145:22, 188.164.54.145:2222, 206.150.24.224:22, 206.150.24.224:2222, 206.150.24.224:22222, 206.150.24.224:3389, 206.150.24.224:443, 208.150.117.100:22, 208.150.117.100:2222, 37.125.84.123:22, 37.125.84.123:2222, 38.124.185.72:22, 38.124.185.72:2222, 42.121.51.107:22, 42.121.51.107:2222, 42.75.251.45:22, 42.75.251.45:2222, 5.131.60.78:22, 5.131.60.78:2222, 53.154.188.180:22, 53.154.188.180:2222, 63.234.207.11:22, 63.234.207.11:2222, 65.168.218.234:22, 65.168.218.234:2222, 73.27.196.10:22, 73.27.196.10:2222, 73.39.190.179:22, 73.39.190.179:2222, 77.130.23.123:22, 77.130.23.123:2222, 85.167.189.108:22, 85.167.189.108:2222 and 92.11.81.152:22 |
Outgoing Connection |
Process /usr/.work/work64 scanned port 22 on 31 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 2222 on 31 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 22 on 30 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 2222 on 30 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 attempted to access domains: bttracker.debian.org, dht.transmissionbt.com, router.bittorrent.com and router.utorrent.com |
DNS Query |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |
/usr/.work/work64 |
SHA256: 2d2239acd852e43952bcb14fcdc7485fd804b54df241c077750f5447b55354b7 |
4662460 bytes |
/tmp/xmr |
SHA256: a79bdc2d844a39d7ce7d08ba94bb0200622ff627dc31cc082106118d164b8f6b |
1253668 bytes |