Discover malicious IPs and domains with Akamai Guardicore Segmentation

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List

Process /usr/sbin/sshd scanned port 1234 on 31 IP Addresses

Process /dev/shm/apache2 scanned port 1234 on 31 IP Addresses

Process /dev/shm/apache2 scanned port 1234 on 53 IP Addresses

Process /dev/shm/apache2 scanned port 80 on 31 IP Addresses

Process /bin/nc.openbsd scanned port 1234 on 31 IP Addresses

Process /tmp/ifconfig scanned port 1234 on 31 IP Addresses

Process /usr/sbin/sshd scanned port 1234 on 31 IP Addresses

Process /root/apache2 scanned port 1234 on 31 IP Addresses

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times

/dev/shm/ifconfig was downloaded

A possibly malicious Superuser Operation was detected 12 times

Process /dev/shm/apache2 generated outgoing network traffic to: 1.220.98.197:1234, 107.135.235.115:80, 109.203.70.228:80, 116.140.244.109:80, 117.54.14.169:1234, 119.197.33.224:80, 119.233.243.164:80, 120.224.34.31:1234, 120.236.78.194:1234, 121.38.156.136:80, 121.63.99.132:80, 123.132.238.210:1234, 123.58.157.190:80, 124.221.181.83:1234, 126.30.38.144:80, 129.64.11.146:80, 130.36.127.84:80, 144.155.92.24:80, 145.188.179.164:80, 145.22.60.63:80, 145.77.213.29:80, 151.24.46.242:80, 152.94.197.23:80, 154.154.22.242:80, 155.116.13.86:80, 156.217.251.253:80, 159.249.208.136:80, 159.28.223.236:80, 16.239.59.47:80, 161.107.113.27:1234, 161.107.113.34:1234, 161.42.13.227:80, 169.43.40.45:80, 172.64.200.11:443, 172.64.201.11:443, 173.85.203.98:80, 174.182.144.208:80, 182.224.177.56:1234, 183.213.26.13:1234, 184.83.112.246:1234, 192.51.150.151:80, 193.90.116.207:80, 195.87.73.208:1234, 198.198.221.230:80, 20.142.210.143:80, 200.150.6.198:80, 203.139.248.165:80, 203.172.223.79:80, 204.128.18.187:80, 206.189.25.255:1234, 211.251.79.3:80, 215.65.246.228:80, 220.243.148.80:1234, 222.103.98.58:1234, 222.117.95.174:1234, 222.121.63.87:1234, 222.165.136.99:1234, 222.84.249.72:80, 223.99.166.104:1234, 240.49.190.64:80, 243.111.237.230:80, 25.193.177.171:80, 250.79.95.51:80, 27.108.242.4:80, 31.54.40.187:80, 39.175.68.100:1234, 4.121.85.209:80, 4.4.66.83:22, 40.205.250.80:80, 40.68.24.106:80, 45.120.216.114:1234, 46.13.164.29:1234, 49.233.159.222:1234, 49.42.161.213:80, 51.75.146.174:443, 52.131.32.110:1234, 70.222.162.72:80, 76.120.22.218:80, 82.149.112.170:1234, 83.6.224.36:80, 84.204.148.99:1234, 85.105.58.118:1234, 87.36.73.10:80, 88.17.215.151:80, 89.212.123.191:1234 and 94.153.165.43:1234

Process /dev/shm/apache2 started listening on ports: 1234, 8089 and 8180

The file /tmp/ifconfig was downloaded and executed 3 times

The file /tmp/apache2 was downloaded and executed 18 times

Process /tmp/ifconfig generated outgoing network traffic to: 172.64.200.11:443

./ifconfig was downloaded

The file /root/ifconfig was downloaded and executed 5 times

The file /root/apache2 was downloaded and executed 55 times

Process /dev/shm/apache2 scanned port 80 on 53 IP Addresses

The file /var/tmp/ifconfig was downloaded and executed 5 times

The file /root/ifconfig was downloaded and executed 5 times

The file /root/apache2 was downloaded and executed 3 times

System file /etc/ifconfig was modified 9 times

The file /etc/ifconfig was downloaded and executed 5 times

System file /etc/apache2 was modified 4 times

The file /etc/apache2 was downloaded and executed 15 times

Connection was closed due to timeout