IP Address: 164.160.35.45Previously Malicious
IP Address: 164.160.35.45Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Successful SSH Login Download and Execute Download File Superuser Operation Download and Allow Execution SSH SCP |
Associated Attack Servers |
29.136.55.4 35.97.123.10 43.242.247.139 82.156.210.15 89.108.119.250 93.170.92.129 110.42.209.158 116.225.43.137 135.180.40.96 195.97.64.156 205.55.249.29 210.101.83.129 |
IP Address |
164.160.35.45 |
|
Domain |
- |
|
ISP |
VEONE |
|
Country |
Côte d'Ivoire |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-17 |
Last seen in Akamai Guardicore Segmentation |
2022-04-21 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
./ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/apache2 was downloaded and executed 200 times |
Download and Execute |
Process /root/apache2 generated outgoing network traffic to: 101.151.2.209:80, 101.151.2.209:8080, 102.250.131.165:2222, 103.111.211.61:1234, 104.100.115.223:80, 104.100.115.223:8080, 104.131.11.137:80, 104.131.11.137:8080, 104.21.25.86:443, 104.39.107.203:80, 104.39.107.203:8080, 109.253.60.42:22, 112.153.90.247:2222, 112.50.78.63:80, 112.50.78.63:8080, 115.219.12.215:80, 115.219.12.215:8080, 117.55.229.161:80, 117.55.229.161:8080, 12.205.196.206:2222, 120.171.11.131:80, 120.171.11.131:8080, 121.173.18.221:80, 121.173.18.221:8080, 123.207.48.176:80, 123.207.48.176:8080, 129.152.6.35:1234, 135.209.98.224:80, 135.209.98.224:8080, 135.219.184.18:80, 135.219.184.18:8080, 144.228.195.247:80, 144.228.195.247:8080, 147.129.170.150:80, 147.129.170.150:8080, 150.158.85.157:1234, 153.192.32.222:80, 153.192.32.222:8080, 163.16.171.106:2222, 172.67.133.228:443, 174.27.85.201:1234, 175.164.170.225:2222, 177.113.65.16:2222, 18.196.187.49:80, 18.196.187.49:8080, 180.29.124.20:2222, 19.220.245.105:80, 19.220.245.105:8080, 191.100.75.150:80, 191.100.75.150:8080, 194.248.169.38:80, 194.248.169.38:8080, 197.97.150.1:80, 197.97.150.1:8080, 2.206.10.68:80, 2.206.10.68:8080, 20.141.185.205:1234, 201.119.233.113:80, 201.119.233.113:8080, 201.136.93.245:80, 201.136.93.245:8080, 212.182.10.146:2222, 240.2.35.38:80, 240.2.35.38:8080, 248.59.72.46:80, 248.59.72.46:8080, 253.108.243.164:2222, 32.96.99.115:80, 32.96.99.115:8080, 36.20.81.225:80, 36.20.81.225:8080, 41.109.61.195:22, 49.232.205.83:1234, 51.75.146.174:443, 53.24.58.5:80, 53.24.58.5:8080, 54.170.225.41:80, 54.170.225.41:8080, 57.32.64.185:80, 57.32.64.185:8080, 62.12.106.6:1234, 70.20.46.215:2222, 75.42.206.33:2222, 76.7.243.83:80, 76.7.243.83:8080, 80.41.14.80:22, 86.78.245.13:80, 86.78.245.13:8080 and 98.128.166.176:22 |
Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8080 and 8181 |
Listening |
Process /root/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 80 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 2222 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 attempted to access suspicious domains: as13285.net, bahnhof.se and qwest.net |
Access Suspicious Domain Outgoing Connection |
Process /root/apache2 scanned port 8080 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 2222 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 28 times |
Download and Execute |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 15 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 12 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 2 times |
Download and Execute |
Connection was closed due to timeout |
|