IP Address: 171.221.250.155Previously Malicious
IP Address: 171.221.250.155Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login Download and Execute Download File Superuser Operation Download and Allow Execution SSH SCP |
Associated Attack Servers |
cultimording.org.uk mycingular.net 41.33.225.65 43.239.152.144 43.239.152.158 46.120.11.197 52.236.133.183 64.14.155.198 67.28.40.177 103.90.177.102 105.124.122.188 107.234.59.55 139.148.26.70 145.171.205.120 150.158.85.157 191.242.188.103 213.255.16.156 |
IP Address |
171.221.250.155 |
|
Domain |
- |
|
ISP |
China Telecom Sichuan |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-02-23 |
Last seen in Akamai Guardicore Segmentation |
2022-11-27 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
./ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 194 times |
Download and Execute |
Process /root/ifconfig scanned port 22 on 12 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 12 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 12 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig generated outgoing network traffic to: 101.70.215.155:80, 101.70.215.155:8080, 107.227.28.209:2222, 107.35.175.226:80, 107.35.175.226:8080, 11.116.104.106:80, 11.116.104.106:8080, 110.56.7.71:22, 136.66.247.97:22, 141.199.24.155:80, 141.199.24.155:8080, 142.250.191.228:443, 145.26.4.203:80, 145.26.4.203:8080, 147.229.194.153:22, 15.79.213.91:80, 15.79.213.91:8080, 151.117.201.100:80, 151.117.201.100:8080, 152.237.83.234:80, 152.237.83.234:8080, 161.107.113.27:1234, 167.205.159.111:2222, 168.230.43.215:80, 168.230.43.215:8080, 173.240.251.173:80, 173.240.251.173:8080, 175.135.192.71:22, 179.213.75.182:80, 179.213.75.182:8080, 180.109.164.131:1234, 183.48.136.56:80, 183.48.136.56:8080, 188.246.148.17:2222, 190.60.14.48:80, 190.60.14.48:8080, 197.242.91.78:80, 197.242.91.78:8080, 205.175.37.146:22, 22.109.112.39:80, 22.109.112.39:8080, 220.243.148.80:1234, 243.207.43.11:80, 243.207.43.11:8080, 28.140.160.88:80, 28.140.160.88:8080, 29.36.168.13:80, 29.36.168.13:8080, 34.41.55.80:80, 34.41.55.80:8080, 38.34.21.201:80, 38.34.21.201:8080, 46.37.103.230:80, 46.37.103.230:8080, 47.93.228.251:1234, 49.232.205.83:1234, 49.233.176.20:1234, 51.75.146.174:443, 55.217.38.53:22, 57.17.120.75:80, 57.17.120.75:8080, 61.100.147.64:22, 61.188.172.105:22, 61.24.128.85:22, 62.77.212.162:80, 62.77.212.162:8080, 62.86.34.168:80, 62.86.34.168:8080, 63.192.208.151:22, 7.226.129.98:2222, 75.149.114.107:80, 75.149.114.107:8080, 80.232.26.141:80, 80.232.26.141:8080, 83.237.249.79:2222, 89.108.119.250:1234, 89.249.202.5:80, 89.249.202.5:8080, 9.72.30.252:80, 9.72.30.252:8080, 90.8.68.171:80, 90.8.68.171:8080, 91.178.69.223:80, 91.178.69.223:8080, 94.203.108.11:80, 94.203.108.11:8080, 94.215.93.198:80, 94.215.93.198:8080 and 97.110.120.86:22 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8087 and 8180 |
Listening |
Process /root/ifconfig attempted to access suspicious domains: mtu-net.ru, mycingular.net, railcommerce.com and vline.pl |
Access Suspicious Domain Outgoing Connection |
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 9 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 16 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 10 times |
Download and Execute |
The file /root/php-fpm was downloaded and granted execution privileges |
Download and Allow Execution |
The file /root/php-fpm was downloaded and executed 9 times |
Download and Execute |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 5db96f65e3b497ff9175f2d654627b8ec8c0784a9d95c17f9a9856320ace2af4 |
2195456 bytes |
/root/ifconfig |
SHA256: 77ef9cc7a7309191d31d6779574d5358ae9a35b9b4ecc29fa2628231b8fb5edb |
2228224 bytes |
/tmp/ifconfig |
SHA256: b72ef22d2e948b00560f59f991d83cd0d57e26078572d9e8e41ac25c2b06e355 |
1441792 bytes |