IP Address: 177.248.203.87Previously Malicious
IP Address: 177.248.203.87Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
System File Modification Scheduled Task Creation Listening Outgoing Connection DNS Query SCP New SSH Key Access Suspicious Domain Inbound HTTP Request Download and Execute Port 2222 Scan 8 Shell Commands Successful SSH Login Port 22 Scan SSH Download File Download and Allow Execution |
Associated Attack Servers |
bttracker.debian.org poneytelecom.eu spcsdns.net 10.33.0.185 113.24.149.58 117.184.119.10 163.172.226.137 184.246.29.27 185.202.130.8 |
IP Address |
177.248.203.87 |
|
Domain |
- |
|
ISP |
Cablevision S.A. de C.V. |
|
Country |
Mexico |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-02-09 |
Last seen in Akamai Guardicore Segmentation |
2022-02-09 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/usr/.work//.bash_history was downloaded |
Download File |
/usr/.work//config.json was downloaded |
Download File |
/usr/.work//heartalive.lock was downloaded |
Download File |
/usr/.work//tmp.f9F5g2gAHz was downloaded |
Download File |
/usr/.work//work64 was downloaded |
Download File |
/usr/.work//xmr was downloaded |
Download File |
/usr/.work//yum.log was downloaded |
Download File |
The file /usr/.work/work64 was downloaded and executed 65 times |
Download and Execute |
Process /usr/.work/work64 started listening on ports: 14747, 8000 and 8015 |
Listening |
Executable file /usr/bin/wget1 was modified |
Executable File Modification |
The file /tmp/xmr was downloaded and executed 8 times |
Download and Execute |
System file /etc/rc.local was modified |
System File Modification |
System file /etc/crontab was modified |
System File Modification |
Process /tmp/xmr attempted to access suspicious domains: poneytelecom.eu and xmr.crypto-pool.fr |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /tmp/xmr generated outgoing network traffic to: 163.172.226.137:6666 |
Outgoing Connection |
Process /usr/.work/work64 generated outgoing network traffic to: 1.221.24.122:22, 1.221.24.122:2222, 10.33.0.185:2002, 10.33.0.185:2022, 10.33.0.185:22, 10.33.0.185:222, 10.33.0.185:2222, 10.33.0.185:22222, 10.33.0.185:2223, 10.33.0.185:23, 10.33.0.185:2323, 10.33.0.185:2382, 10.33.0.185:26, 10.33.0.185:3389, 10.33.0.185:4118, 10.33.0.185:443, 10.33.0.185:444, 10.33.0.185:50000, 10.33.0.185:5555, 10.33.0.185:55554, 10.33.0.185:6000, 10.33.0.185:666, 10.33.0.185:7777, 10.33.0.185:8022, 10.33.0.185:830, 10.33.0.185:8888, 10.33.0.185:9000, 10.33.0.185:9090, 10.33.0.185:9999, 10.33.0.96:22, 10.33.0.96:2222, 101.108.245.140:22, 101.108.245.140:2222, 101.112.244.201:22, 101.112.244.201:2222, 103.72.38.67:22, 103.72.38.67:2222, 113.24.149.58:23, 113.24.149.58:2382, 113.24.149.58:26, 113.24.149.58:4118, 113.24.149.58:50000, 113.24.149.58:830, 133.205.232.189:22, 133.205.232.189:2222, 135.117.92.174:22, 135.117.92.174:2222, 136.66.43.251:22, 136.66.43.251:2222, 140.40.21.150:2222, 153.204.69.65:22, 153.204.69.65:2222, 154.145.104.176:22, 154.145.104.176:2222, 170.186.108.188:22, 170.186.108.188:2222, 173.52.239.28:22, 173.52.239.28:2222, 182.99.23.246:22, 182.99.23.246:2222, 184.246.29.27:2002, 184.246.29.27:2022, 184.246.29.27:22, 184.246.29.27:222, 184.246.29.27:2222, 184.246.29.27:22222, 184.246.29.27:2223, 184.246.29.27:23, 184.246.29.27:2323, 184.246.29.27:2382, 184.246.29.27:26, 184.246.29.27:3389, 184.246.29.27:4118, 184.246.29.27:443, 184.246.29.27:444, 184.246.29.27:50000, 184.246.29.27:5555, 184.246.29.27:55554, 184.246.29.27:6000, 184.246.29.27:666, 184.246.29.27:7777, 184.246.29.27:8022, 184.246.29.27:830, 184.246.29.27:8888, 184.246.29.27:9000, 184.246.29.27:9090, 184.246.29.27:9999, 185.7.101.145:22, 185.7.101.145:2222, 203.163.224.15:22, 203.163.224.15:2222, 35.137.206.20:22, 35.137.206.20:2222, 63.4.36.28:22, 63.4.36.28:2222, 8.34.36.65:22, 8.34.36.65:2222, 98.251.214.98:22 and 98.251.214.98:2222 |
Outgoing Connection |
Process /usr/.work/work64 scanned port 2222 on 22 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 scanned port 22 on 22 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 scanned port 2222 on 21 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 scanned port 22 on 21 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 attempted to access suspicious domains: spcsdns.net |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/.work/work64 attempted to access domains: bttracker.debian.org, dht.transmissionbt.com, router.bittorrent.com and router.utorrent.com |
DNS Query |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |