IP Address: 190.97.247.148Previously Malicious
IP Address: 190.97.247.148Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
System File Modification Scheduled Task Creation Listening Executable File Modification Outgoing Connection DNS Query SCP New SSH Key Service Configuration Access Suspicious Domain Download and Execute Port 2222 Scan 8 Shell Commands Successful SSH Login Port 22 Scan SSH Download File Download and Allow Execution |
Associated Attack Servers |
bttracker.debian.org mycingular.net poneytelecom.eu 23.180.238.240 44.199.174.173 107.244.162.14 163.172.226.137 185.202.130.8 |
IP Address |
190.97.247.148 |
|
Domain |
- |
|
ISP |
NetLink América C.A. |
|
Country |
Venezuela, Bolivarian Republic of |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-01-05 |
Last seen in Akamai Guardicore Segmentation |
2022-01-05 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ***** - Authentication policy: Reached Max Attempts |
Successful SSH Login |
/usr/.work//work64 was downloaded |
Download File |
The file /usr/.work/work64 was downloaded and executed 63 times |
Download and Execute |
Process /usr/.work/work64 started listening on ports: 14747, 17124 and 8014 |
Listening |
Executable file /usr/bin/wget1 was modified |
Executable File Modification |
System file /etc/rc.local was modified |
System File Modification |
System file /etc/crontab was modified |
System File Modification |
The file /tmp/xmr was downloaded and executed 4 times |
Download and Execute |
Process /tmp/xmr attempted to access suspicious domains: poneytelecom.eu and xmr.crypto-pool.fr |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /tmp/xmr generated outgoing network traffic to: 163.172.226.137:6666 |
Outgoing Connection |
Process /usr/.work/work64 generated outgoing network traffic to: 10.32.0.113:22, 10.32.0.113:2222, 10.32.0.177:22, 10.32.0.177:2222, 107.244.162.14:2002, 107.244.162.14:2022, 107.244.162.14:2222, 107.244.162.14:22222, 107.244.162.14:2223, 107.244.162.14:2323, 107.244.162.14:3389, 107.244.162.14:443, 107.244.162.14:444, 107.244.162.14:55554, 107.244.162.14:6000, 107.244.162.14:666, 107.244.162.14:7777, 107.244.162.14:8022, 107.244.162.14:8888, 107.244.162.14:9000, 107.244.162.14:9090, 107.244.162.14:9999, 126.173.126.67:22, 126.173.126.67:2222, 157.242.101.224:22, 157.242.101.224:2222, 165.42.129.109:22, 165.42.129.109:2222, 172.32.138.8:2222, 182.3.173.116:22, 182.3.173.116:2222, 191.23.252.237:22, 191.23.252.237:2222, 208.243.73.160:22, 208.243.73.160:2222, 209.236.168.215:22, 209.236.168.215:2222, 217.192.111.133:22, 217.192.111.133:2222, 220.33.37.110:22, 220.33.37.110:2222, 223.194.222.127:22, 223.194.222.127:2222, 23.180.238.240:2002, 23.180.238.240:2022, 23.180.238.240:222, 23.180.238.240:23, 23.180.238.240:2323, 23.180.238.240:2382, 23.180.238.240:26, 23.180.238.240:4118, 23.180.238.240:444, 23.180.238.240:50000, 23.180.238.240:5555, 23.180.238.240:666, 23.180.238.240:7777, 23.180.238.240:830, 23.180.238.240:9999, 36.26.124.80:22, 36.26.124.80:2222, 36.5.216.83:22, 36.5.216.83:2222, 44.199.174.173:2002, 44.199.174.173:2022, 44.199.174.173:22, 44.199.174.173:222, 44.199.174.173:2222, 44.199.174.173:22222, 44.199.174.173:2223, 44.199.174.173:23, 44.199.174.173:2323, 44.199.174.173:2382, 44.199.174.173:26, 44.199.174.173:3389, 44.199.174.173:4118, 44.199.174.173:443, 44.199.174.173:444, 44.199.174.173:50000, 44.199.174.173:5555, 44.199.174.173:55554, 44.199.174.173:6000, 44.199.174.173:666, 44.199.174.173:7777, 44.199.174.173:8022, 44.199.174.173:830, 44.199.174.173:8888, 44.199.174.173:9000, 44.199.174.173:9090, 44.199.174.173:9999, 46.3.20.101:22, 46.3.20.101:2222, 8.186.13.98:22, 8.186.13.98:2222, 82.174.139.214:22, 82.174.139.214:2222, 82.79.231.186:22, 82.79.231.186:2222, 99.113.216.224:22 and 99.113.216.224:2222 |
Outgoing Connection |
Process /usr/.work/work64 scanned port 22 on 20 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 2222 on 20 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 22 on 22 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 2222 on 22 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 attempted to access suspicious domains: mycingular.net |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/.work/work64 attempted to access domains: bttracker.debian.org, dht.transmissionbt.com, router.bittorrent.com and router.utorrent.com |
DNS Query |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |