IP Address: 174.4.208.151Previously Malicious
IP Address: 174.4.208.151Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Outgoing Connection SSH 13 Shell Commands Superuser Operation SCP Download File Download and Allow Execution Port 80 Scan Listening Successful SSH Login Download and Execute Port 1234 Scan |
Associated Attack Servers |
35.236.89.215 49.156.148.140 51.174.61.124 52.252.16.202 59.1.226.211 59.145.216.50 103.90.177.102 103.152.118.20 128.8.238.181 147.182.233.56 172.64.110.32 172.64.200.11 172.64.201.11 219.140.162.82 222.117.95.174 |
IP Address |
174.4.208.151 |
|
Domain |
- |
|
ISP |
Shaw Communications |
|
Country |
Canada |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-06-30 |
Last seen in Akamai Guardicore Segmentation |
2023-01-10 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 12 times |
Superuser Operation |
Process /dev/shm/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 1234 on 52 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /usr/sbin/sshd scanned port 1234 on 32 IP Addresses |
Port 1234 Scan |
Process /tmp/ifconfig scanned port 1234 on 32 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig scanned port 1234 on 32 IP Addresses |
Port 1234 Scan |
Process /var/tmp/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.220.98.197:1234, 103.152.118.20:1234, 103.207.66.38:80, 106.62.223.107:80, 114.77.35.22:80, 116.51.105.72:80, 117.16.44.111:1234, 117.54.14.169:1234, 117.80.212.33:1234, 119.198.113.52:80, 130.69.109.15:80, 131.197.124.121:80, 134.220.115.126:80, 137.138.246.70:80, 139.209.222.134:1234, 142.250.191.228:443, 146.229.181.247:80, 149.97.15.85:80, 151.196.230.141:80, 151.71.42.194:80, 161.107.113.27:1234, 161.58.74.247:80, 161.70.98.32:1234, 163.241.218.215:80, 170.154.154.236:80, 173.124.216.252:80, 18.155.176.74:80, 182.224.177.56:1234, 184.112.157.41:80, 184.83.112.246:1234, 19.8.164.95:80, 190.253.195.2:80, 197.131.229.174:80, 199.224.110.202:80, 20.141.185.205:1234, 200.100.123.100:80, 200.221.236.198:80, 200.23.42.155:80, 200.33.9.120:80, 202.35.45.45:80, 206.189.25.255:1234, 208.198.214.162:80, 21.94.115.205:80, 210.99.20.194:1234, 211.162.184.120:1234, 212.57.36.20:1234, 215.154.192.46:80, 220.243.148.80:1234, 222.103.98.58:1234, 223.171.91.149:1234, 223.92.121.7:80, 245.219.62.37:80, 25.246.135.124:80, 253.87.60.102:80, 27.2.128.75:80, 28.177.170.67:80, 3.166.40.147:80, 3.168.226.100:80, 31.19.237.170:1234, 38.189.165.178:80, 39.175.68.100:1234, 45.120.216.114:1234, 46.13.164.29:1234, 5.217.7.165:80, 51.75.146.174:443, 57.140.169.216:80, 61.77.105.219:1234, 61.84.162.66:1234, 64.2.200.43:80, 64.252.93.20:80, 67.59.47.84:80, 7.170.251.82:80, 71.84.118.188:80, 76.145.177.168:80, 8.14.38.1:80, 81.221.71.109:80, 82.149.112.170:1234, 83.165.225.23:80, 84.204.148.99:1234, 85.105.82.39:1234, 85.39.86.235:80, 86.133.233.66:1234, 89.212.123.191:1234 and 95.154.21.210:1234 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8089 and 8181 |
Listening |
/tmp/ifconfig was downloaded |
Download File |
The file /tmp/apache2 was downloaded and executed 11 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 172.64.200.11:443 |
Outgoing Connection |
./ifconfig was downloaded |
Download File |
The file /root/ifconfig was downloaded and executed 6 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 172.64.200.11:443 |
Outgoing Connection |
/var/tmp/ifconfig was downloaded |
Download File |
The file /var/tmp/apache2 was downloaded and executed 2 times |
Download and Execute |
Process /var/tmp/apache2 generated outgoing network traffic to: 172.64.200.11:443 |
Outgoing Connection |
Process /dev/shm/apache2 scanned port 80 on 52 IP Addresses |
Port 1234 Scan Port 80 Scan |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 18 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 5 times |
Download and Execute |
The file /etc/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 15 times |
Download and Execute |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 8e7cf70465391f66bc440eba9c30c73995725eaa95fe9f8ba9da6ecbe060c085 |
2424832 bytes |