IP Address: 190.202.144.251Previously Malicious
IP Address: 190.202.144.251Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Port 2222 Scan Port 22 Scan Access Suspicious Domain System File Modification Executable File Modification Download File SSH DNS Query New SSH Key Successful SSH Login Download and Execute SCP 8 Shell Commands Scheduled Task Creation Outgoing Connection Listening Service Configuration Download and Allow Execution |
Associated Attack Servers |
bttracker.debian.org ip-141-95-206.eu 10.33.0.73 130.106.168.148 140.71.114.130 141.95.206.77 209.239.98.62 |
IP Address |
190.202.144.251 |
|
Domain |
- |
|
ISP |
Cantv |
|
Country |
Venezuela, Bolivarian Republic of |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-11-24 |
Last seen in Akamai Guardicore Segmentation |
2022-10-10 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/usr/.work//work64 was downloaded |
Download File |
The file /usr/.work/work64 was downloaded and executed 65 times |
Download and Execute |
Process /usr/.work/work64 started listening on ports: 14747, 8017 and 8082 |
Listening |
Executable file /usr/bin/wget1 was modified |
Executable File Modification |
The file /tmp/xmr was downloaded and executed 4 times |
Download and Execute |
Process /tmp/xmr attempted to access suspicious domains: ip-141-95-206.eu and xmr.crypto-pool.fr |
DNS Query Access Suspicious Domain Outgoing Connection |
System file /etc/rc.local was modified |
System File Modification |
System file /etc/crontab was modified |
System File Modification |
Process /tmp/xmr generated outgoing network traffic to: 141.95.206.77:6666 |
Outgoing Connection |
Process /usr/.work/work64 generated outgoing network traffic to: 10.33.0.40:22, 10.33.0.40:2222, 10.33.0.73:2002, 10.33.0.73:2022, 10.33.0.73:22, 10.33.0.73:222, 10.33.0.73:2222, 10.33.0.73:22222, 10.33.0.73:2223, 10.33.0.73:23, 10.33.0.73:2323, 10.33.0.73:2382, 10.33.0.73:26, 10.33.0.73:3389, 10.33.0.73:4118, 10.33.0.73:443, 10.33.0.73:444, 10.33.0.73:50000, 10.33.0.73:5555, 10.33.0.73:55554, 10.33.0.73:6000, 10.33.0.73:666, 10.33.0.73:7777, 10.33.0.73:8022, 10.33.0.73:830, 10.33.0.73:8888, 10.33.0.73:9000, 10.33.0.73:9090, 10.33.0.73:9999, 109.72.93.169:22, 109.72.93.169:2222, 112.132.27.58:22, 112.132.27.58:2222, 113.140.8.167:22, 113.140.8.167:2222, 120.198.156.150:22, 120.198.156.150:2222, 121.128.87.100:22, 121.128.87.100:2222, 128.236.148.38:22, 128.236.148.38:2222, 130.106.168.148:22, 130.106.168.148:2222, 130.106.168.148:22222, 130.106.168.148:23, 130.106.168.148:3389, 130.106.168.148:443, 130.106.168.148:55554, 130.106.168.148:9000, 130.155.155.120:22, 130.155.155.120:2222, 130.163.104.167:22, 130.163.104.167:2222, 140.71.114.130:2002, 140.71.114.130:2022, 140.71.114.130:222, 140.71.114.130:23, 140.71.114.130:2323, 140.71.114.130:2382, 140.71.114.130:26, 140.71.114.130:4118, 140.71.114.130:444, 140.71.114.130:50000, 140.71.114.130:5555, 140.71.114.130:666, 140.71.114.130:7777, 140.71.114.130:830, 145.126.253.150:22, 145.126.253.150:2222, 159.209.219.82:22, 159.209.219.82:2222, 16.45.196.36:22, 16.45.196.36:2222, 186.67.215.117:22, 186.67.215.117:2222, 188.215.31.255:22, 188.215.31.255:2222, 191.165.195.79:22, 191.165.195.79:2222, 193.141.148.84:22, 193.141.148.84:2222, 198.200.164.146:22, 198.200.164.146:2222, 209.239.98.62:8022, 218.127.175.15:22, 218.127.175.15:2222, 27.39.109.79:22, 34.168.38.112:22, 35.40.235.35:22, 35.40.235.35:2222, 40.180.209.25:22, 40.180.209.25:2222, 44.96.50.6:22, 44.96.50.6:2222, 5.191.238.184:22, 5.191.238.184:2222, 70.126.110.241:2222, 70.224.39.217:22 and 70.224.39.217:2222 |
Outgoing Connection |
Process /usr/.work/work64 scanned port 2222 on 26 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 scanned port 2222 on 27 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 scanned port 22 on 26 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 scanned port 22 on 27 IP Addresses |
Port 2222 Scan Port 22 Scan |
Process /usr/.work/work64 attempted to access domains: bttracker.debian.org, dht.transmissionbt.com, router.bittorrent.com and router.utorrent.com |
DNS Query |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |
/usr/.work/work64 |
SHA256: 2d2239acd852e43952bcb14fcdc7485fd804b54df241c077750f5447b55354b7 |
4662460 bytes |
/tmp/xmr |
SHA256: a79bdc2d844a39d7ce7d08ba94bb0200622ff627dc31cc082106118d164b8f6b |
1253668 bytes |