IP Address: 176.28.20.18Previously Malicious
IP Address: 176.28.20.18Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Port 22 Scan Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
2.160.230.244 8.215.36.214 26.131.114.248 62.50.87.111 78.189.25.224 81.70.147.119 81.70.246.178 117.80.212.33 136.21.193.108 143.106.99.149 144.217.5.204 152.136.145.180 157.52.203.75 183.24.223.236 185.153.198.230 198.166.16.137 202.90.131.39 211.161.90.158 218.146.15.97 246.113.220.146 |
IP Address |
176.28.20.18 |
|
Domain |
- |
|
ISP |
Host Europe GmbH |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-23 |
Last seen in Akamai Guardicore Segmentation |
2022-04-23 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig scanned port 22 on 13 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 13 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 13 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 105.15.196.67:80, 105.15.196.67:8080, 114.209.217.202:80, 114.209.217.202:8080, 117.80.212.33:1234, 12.105.125.26:80, 12.105.125.26:8080, 123.49.104.133:22, 124.238.204.69:80, 124.238.204.69:8080, 129.133.59.235:22, 131.43.59.204:22, 139.209.222.134:1234, 139.223.73.1:80, 139.223.73.1:8080, 142.202.237.251:80, 142.202.237.251:8080, 143.106.99.149:2222, 147.173.195.219:22, 150.196.111.233:80, 150.196.111.233:8080, 151.102.26.55:80, 151.102.26.55:8080, 152.136.145.180:1234, 155.113.231.232:80, 155.113.231.232:8080, 157.52.203.75:2222, 160.226.236.175:22, 161.84.102.242:80, 161.84.102.242:8080, 164.89.42.120:80, 164.89.42.120:8080, 167.147.51.66:22, 17.198.46.237:80, 17.198.46.237:8080, 170.79.136.188:80, 170.79.136.188:8080, 179.16.101.99:22, 183.24.223.236:2222, 188.214.204.106:80, 188.214.204.106:8080, 191.12.209.187:22, 193.35.225.200:80, 193.35.225.200:8080, 198.130.211.250:22, 198.55.244.228:80, 198.55.244.228:8080, 202.90.131.39:1234, 211.168.102.31:80, 211.168.102.31:8080, 219.26.227.236:80, 219.26.227.236:8080, 245.22.102.152:80, 245.22.102.152:8080, 246.113.220.146:2222, 25.85.169.185:80, 25.85.169.185:8080, 28.130.215.142:80, 28.130.215.142:8080, 28.245.195.192:80, 28.245.195.192:8080, 33.171.120.108:22, 46.95.61.205:80, 46.95.61.205:8080, 53.23.66.125:22, 61.60.188.155:80, 61.60.188.155:8080, 62.50.87.111:2222, 65.129.2.92:80, 65.129.2.92:8080, 67.167.26.190:22, 7.142.205.35:80, 7.142.205.35:8080, 74.145.168.55:80, 74.145.168.55:8080, 78.163.225.230:80, 78.163.225.230:8080, 78.189.25.224:1234, 81.70.147.119:1234, 82.11.128.132:80, 82.11.128.132:8080, 83.234.173.91:80, 83.234.173.91:8080, 89.212.123.191:1234, 9.110.243.46:80, 9.110.243.46:8080, 92.220.73.102:80 and 92.220.73.102:8080 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8087 and 8188 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: irtnet.net, jlccptt.net.cn and t-2.net |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|