IP Address: 189.217.199.213Previously Malicious
IP Address: 189.217.199.213Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
System File Modification Scheduled Task Creation Listening Executable File Modification Outgoing Connection DNS Query SCP New SSH Key Access Suspicious Domain Service Configuration Download and Execute Port 2222 Scan 8 Shell Commands Successful SSH Login Port 22 Scan SSH Download File Download and Allow Execution |
Associated Attack Servers |
bttracker.debian.org poneytelecom.eu 43.62.110.217 163.172.226.137 185.202.130.8 200.121.234.193 205.97.115.225 |
IP Address |
189.217.199.213 |
|
Domain |
- |
|
ISP |
izzi |
|
Country |
Mexico |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-02-28 |
Last seen in Akamai Guardicore Segmentation |
2022-04-07 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/usr/.work//.bash_history was downloaded |
Download File |
/usr/.work//.bashrc was downloaded |
Download File |
/usr/.work//work64 was downloaded |
Download File |
The file /usr/.work/work64 was downloaded and executed 61 times |
Download and Execute |
Process /usr/.work/work64 started listening on ports: 14747, 5060 and 8012 |
Listening |
Executable file /usr/bin/wget1 was modified |
Executable File Modification |
Process /tmp/xmr attempted to access suspicious domains: poneytelecom.eu and xmr.crypto-pool.fr |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /tmp/xmr generated outgoing network traffic to: 163.172.226.137:6666 |
Outgoing Connection |
System file /etc/rc.local was modified |
System File Modification |
System file /etc/crontab was modified |
System File Modification |
Process /usr/.work/work64 generated outgoing network traffic to: 10.32.0.122:22, 10.32.0.122:2222, 10.32.0.230:22, 10.32.0.230:2222, 104.255.67.177:22, 12.173.139.220:22, 12.173.139.220:2222, 122.145.171.244:22, 122.145.171.244:2222, 128.183.76.82:22, 128.183.76.82:2222, 14.228.18.79:22, 14.228.18.79:2222, 142.64.68.178:22, 142.64.68.178:2222, 147.11.57.166:22, 147.11.57.166:2222, 173.134.11.59:22, 173.134.11.59:2222, 177.171.56.157:22, 177.171.56.157:2222, 178.47.230.62:22, 178.47.230.62:2222, 18.104.43.94:22, 18.104.43.94:2222, 182.251.42.142:22, 19.60.86.243:22, 19.60.86.243:2222, 200.121.234.193:22, 200.121.234.193:2222, 200.121.234.193:22222, 200.121.234.193:3389, 200.121.234.193:443, 205.97.115.225:2002, 205.97.115.225:2022, 205.97.115.225:22, 205.97.115.225:222, 205.97.115.225:2222, 205.97.115.225:22222, 205.97.115.225:2223, 205.97.115.225:23, 205.97.115.225:2323, 205.97.115.225:2382, 205.97.115.225:26, 205.97.115.225:3389, 205.97.115.225:4118, 205.97.115.225:443, 205.97.115.225:444, 205.97.115.225:50000, 205.97.115.225:5555, 205.97.115.225:55554, 205.97.115.225:6000, 205.97.115.225:666, 205.97.115.225:7777, 205.97.115.225:8022, 205.97.115.225:830, 205.97.115.225:8888, 205.97.115.225:9000, 205.97.115.225:9090, 205.97.115.225:9999, 217.187.150.46:22, 217.187.150.46:2222, 23.218.236.62:22, 23.218.236.62:2222, 23.48.250.164:22, 23.48.250.164:2222, 40.245.116.76:22, 40.245.116.76:2222, 43.62.110.217:2002, 43.62.110.217:2022, 43.62.110.217:22, 43.62.110.217:222, 43.62.110.217:22222, 43.62.110.217:2223, 43.62.110.217:2323, 43.62.110.217:26, 43.62.110.217:3389, 43.62.110.217:443, 43.62.110.217:444, 43.62.110.217:5555, 43.62.110.217:55554, 43.62.110.217:6000, 43.62.110.217:666, 43.62.110.217:7777, 43.62.110.217:8022, 43.62.110.217:8888, 43.62.110.217:9000, 43.62.110.217:9090, 43.62.110.217:9999, 45.219.154.65:22, 45.219.154.65:2222, 54.98.106.171:22, 54.98.106.171:2222, 62.79.132.83:22, 62.79.132.83:2222, 67.204.243.4:22, 67.204.243.4:2222, 96.214.237.209:22 and 96.214.237.209:2222 |
Outgoing Connection |
Process /usr/.work/work64 scanned port 2222 on 24 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 scanned port 22 on 24 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 scanned port 2222 on 27 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 scanned port 22 on 27 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 attempted to access suspicious domains: speedy.net.pe |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/.work/work64 attempted to access domains: bttracker.debian.org, dht.transmissionbt.com, router.bittorrent.com and router.utorrent.com |
DNS Query |
The file /tmp/xmr was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |