IP Address: 194.24.174.8Previously Malicious
IP Address: 194.24.174.8Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Outgoing Connection SSH Superuser Operation SCP Download File Port 80 Scan Listening Successful SSH Login Download and Execute System File Modification Port 1234 Scan 15 Shell Commands |
Associated Attack Servers |
4.4.66.83 103.152.118.20 120.224.34.31 161.35.79.199 172.64.110.32 172.64.111.32 172.64.200.11 172.64.201.11 185.110.190.39 209.216.177.158 |
IP Address |
194.24.174.8 |
|
Domain |
- |
|
ISP |
RA-NET |
|
Country |
Poland |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-06-08 |
Last seen in Akamai Guardicore Segmentation |
2022-10-31 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /usr/sbin/sshd scanned port 1234 on 31 IP Addresses |
Port 1234 Scan |
Process /dev/shm/apache2 scanned port 1234 on 31 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 1234 on 53 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /dev/shm/apache2 scanned port 80 on 31 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /bin/nc.openbsd scanned port 1234 on 31 IP Addresses |
Port 1234 Scan |
Process /tmp/ifconfig scanned port 1234 on 31 IP Addresses |
Port 1234 Scan |
Process /usr/sbin/sshd scanned port 1234 on 31 IP Addresses |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 31 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 12 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.220.98.197:1234, 107.135.235.115:80, 109.203.70.228:80, 116.140.244.109:80, 117.54.14.169:1234, 119.197.33.224:80, 119.233.243.164:80, 120.224.34.31:1234, 120.236.78.194:1234, 121.38.156.136:80, 121.63.99.132:80, 123.132.238.210:1234, 123.58.157.190:80, 124.221.181.83:1234, 126.30.38.144:80, 129.64.11.146:80, 130.36.127.84:80, 144.155.92.24:80, 145.188.179.164:80, 145.22.60.63:80, 145.77.213.29:80, 151.24.46.242:80, 152.94.197.23:80, 154.154.22.242:80, 155.116.13.86:80, 156.217.251.253:80, 159.249.208.136:80, 159.28.223.236:80, 16.239.59.47:80, 161.107.113.27:1234, 161.107.113.34:1234, 161.42.13.227:80, 169.43.40.45:80, 172.64.200.11:443, 172.64.201.11:443, 173.85.203.98:80, 174.182.144.208:80, 182.224.177.56:1234, 183.213.26.13:1234, 184.83.112.246:1234, 192.51.150.151:80, 193.90.116.207:80, 195.87.73.208:1234, 198.198.221.230:80, 20.142.210.143:80, 200.150.6.198:80, 203.139.248.165:80, 203.172.223.79:80, 204.128.18.187:80, 206.189.25.255:1234, 211.251.79.3:80, 215.65.246.228:80, 220.243.148.80:1234, 222.103.98.58:1234, 222.117.95.174:1234, 222.121.63.87:1234, 222.165.136.99:1234, 222.84.249.72:80, 223.99.166.104:1234, 240.49.190.64:80, 243.111.237.230:80, 25.193.177.171:80, 250.79.95.51:80, 27.108.242.4:80, 31.54.40.187:80, 39.175.68.100:1234, 4.121.85.209:80, 4.4.66.83:22, 40.205.250.80:80, 40.68.24.106:80, 45.120.216.114:1234, 46.13.164.29:1234, 49.233.159.222:1234, 49.42.161.213:80, 51.75.146.174:443, 52.131.32.110:1234, 70.222.162.72:80, 76.120.22.218:80, 82.149.112.170:1234, 83.6.224.36:80, 84.204.148.99:1234, 85.105.58.118:1234, 87.36.73.10:80, 88.17.215.151:80, 89.212.123.191:1234 and 94.153.165.43:1234 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8089 and 8180 |
Listening |
The file /tmp/ifconfig was downloaded and executed 3 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 18 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 172.64.200.11:443 |
Outgoing Connection |
./ifconfig was downloaded |
Download File |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 55 times |
Download and Execute |
Process /dev/shm/apache2 scanned port 80 on 53 IP Addresses |
Port 1234 Scan Port 80 Scan |
The file /var/tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 3 times |
Download and Execute |
System file /etc/ifconfig was modified 9 times |
System File Modification |
The file /etc/ifconfig was downloaded and executed 5 times |
Download and Execute |
System file /etc/apache2 was modified 4 times |
System File Modification |
The file /etc/apache2 was downloaded and executed 15 times |
Download and Execute |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 1b40245f21f1cb845b7fdf2428315166a8b1d8d5e1e42cd290cd8e479ed61ad7 |
2129920 bytes |
/var/tmp/ifconfig |
SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05 |
655360 bytes |
/var/tmp/ifconfig |
SHA256: 60cc0b454c5174dc5ec389859f0890a7ac0733c005f894083585a4274b71de5b |
2719744 bytes |
/var/tmp/ifconfig |
SHA256: 8a53c1d12942d21d2876a4b8d1eeed8a33a4a9d9f6d1ff3474980278e76a7cc9 |
1310720 bytes |
/var/tmp/ifconfig |
SHA256: 8e7cf70465391f66bc440eba9c30c73995725eaa95fe9f8ba9da6ecbe060c085 |
2424832 bytes |
/var/tmp/ifconfig |
SHA256: b68a8713bece3c5ce9b0e366dd929b6664fb1d7d569f2bc6fafe9a1bded50019 |
1671168 bytes |
/var/tmp/ifconfig |
SHA256: bf9553be0290bc2603b057d3daa41cbcc7f761941ff5519b7d441abe836ec046 |
2457600 bytes |
/root/ifconfig |
SHA256: d9b749e456a80f1c690f3d3a80a74ef3cdaab9bbf91ad2392fa97c3085fbd8f1 |
229376 bytes |