IP Address: 167.86.81.240Previously Malicious
IP Address: 167.86.81.240Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Port 2222 Scan Port 22 Scan System File Modification 8 Shell Commands SSH Executable File Modification New SSH Key SCP Outgoing Connection Scheduled Task Creation Download and Allow Execution Successful SSH Login Download and Execute Download File Access Suspicious Domain |
Associated Attack Servers |
37.183.120.85 60.41.251.125 90.29.237.177 141.95.206.77 208.133.252.225 |
IP Address |
167.86.81.240 |
|
Domain |
- |
|
ISP |
Contabo GmbH |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-09-26 |
Last seen in Akamai Guardicore Segmentation |
2022-10-11 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/usr/.work//123.asm was downloaded |
Download File |
/usr/.work//31714944_172.18.140.24_sec_event_dict.pkl was downloaded |
Download File |
/usr/.work//a.out was downloaded |
Download File |
/usr/.work//alert_descs.csv was downloaded |
Download File |
/usr/.work//alert_descs.xlsx was downloaded |
Download File |
/usr/.work//analysisPath.ipynb was downloaded |
Download File |
/usr/.work//getGraphData.ipynb was downloaded |
Download File |
/usr/.work//graphscopeAnalysis.ipynb was downloaded |
Download File |
/usr/.work//hole_descs.csv was downloaded |
Download File |
/usr/.work//index.html was downloaded |
Download File |
/usr/.work//kworkers was downloaded |
Download File |
/usr/.work//linux_server64 was downloaded |
Download File |
/usr/.work//networkxAnalysis.ipynb was downloaded |
Download File |
/usr/.work//nohup.out was downloaded |
Download File |
/usr/.work//rule_descs.csv was downloaded |
Download File |
/usr/.work//true_rule_descs.csv was downloaded |
Download File |
/usr/.work//upx-3.96-amd64_linux.tar.xz was downloaded |
Download File |
/usr/.work//upx-3.96-arm64_linux.tar.xz was downloaded |
Download File |
/usr/.work//work64 was downloaded |
Download File |
/usr/.work//work64123 was downloaded |
Download File |
/usr/.work//work6412321321 was downloaded |
Download File |
The file /usr/.work/work64 was downloaded and executed 63 times |
Download and Execute |
Process /usr/.work/work64 started listening on ports: 14747, 28796 and 8016 |
Listening |
Executable file /usr/bin/wget1 was modified |
Executable File Modification |
Process /tmp/xmr attempted to access suspicious domains: xmr.crypto-pool.fr |
DNS Query Access Suspicious Domain Outgoing Connection |
System file /etc/rc.local was modified |
System File Modification |
System file /etc/crontab was modified |
System File Modification |
Process /tmp/xmr generated outgoing network traffic to: 141.95.206.77:6666 |
Outgoing Connection |
Process /usr/.work/work64 generated outgoing network traffic to: 10.33.0.246:22, 10.33.0.246:2222, 10.33.0.68:22, 10.33.0.68:2222, 105.243.37.251:22, 105.243.37.251:2222, 110.146.121.18:22, 110.146.121.18:2222, 110.4.203.175:22, 110.4.203.175:2222, 126.238.41.235:22, 126.238.41.235:2222, 129.98.69.10:2222, 13.178.247.44:22, 13.178.247.44:2222, 134.22.126.29:22, 134.22.126.29:2222, 136.171.237.8:22, 136.171.237.8:2222, 157.0.214.211:22, 157.0.214.211:2222, 169.61.85.181:22, 169.61.85.181:2222, 197.78.181.49:22, 197.78.181.49:2222, 203.231.89.192:22, 203.231.89.192:2222, 208.133.252.225:2222, 208.133.252.225:22222, 208.133.252.225:2223, 208.133.252.225:2323, 208.133.252.225:3389, 208.133.252.225:443, 208.133.252.225:55554, 208.133.252.225:6000, 208.133.252.225:8022, 208.133.252.225:8888, 208.133.252.225:9000, 208.133.252.225:9090, 208.133.252.225:9999, 212.2.54.181:22, 212.2.54.181:2222, 219.153.85.73:22, 219.153.85.73:2222, 37.183.120.85:2002, 37.183.120.85:2022, 37.183.120.85:222, 37.183.120.85:23, 37.183.120.85:2323, 37.183.120.85:2382, 37.183.120.85:26, 37.183.120.85:4118, 37.183.120.85:444, 37.183.120.85:50000, 37.183.120.85:5555, 37.183.120.85:6000, 37.183.120.85:666, 37.183.120.85:7777, 37.183.120.85:8022, 37.183.120.85:830, 37.183.120.85:8888, 37.183.120.85:9090, 37.183.120.85:9999, 39.63.25.167:22, 39.63.25.167:2222, 52.12.165.61:22, 52.12.165.61:2222, 58.67.13.21:22, 58.67.13.21:2222, 60.41.251.125:22, 60.41.251.125:2222, 60.41.251.125:22222, 60.41.251.125:3389, 60.41.251.125:443, 60.41.251.125:55554, 61.228.86.247:22, 61.228.86.247:2222, 62.218.93.170:22, 62.218.93.170:2222, 84.170.117.140:22, 84.170.117.140:2222, 85.62.153.110:22, 85.62.153.110:2222, 90.29.237.177:2002, 90.29.237.177:2022, 90.29.237.177:222, 90.29.237.177:23, 90.29.237.177:2382, 90.29.237.177:26, 90.29.237.177:4118, 90.29.237.177:444, 90.29.237.177:50000, 90.29.237.177:5555, 90.29.237.177:666, 90.29.237.177:7777, 90.29.237.177:830, 92.60.141.253:22, 92.60.141.253:2222 and 93.73.203.146:2222 |
Outgoing Connection |
Process /usr/.work/work64 scanned port 22 on 24 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 2222 on 24 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 22 on 27 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 2222 on 27 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 attempted to access suspicious domains: wanadoo.fr |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/.work/work64 attempted to access domains: bttracker.debian.org, dht.transmissionbt.com, router.bittorrent.com and router.utorrent.com |
DNS Query |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |
/usr/.work/work64 |
SHA256: 2d2239acd852e43952bcb14fcdc7485fd804b54df241c077750f5447b55354b7 |
4662460 bytes |