IP Address: 196.221.196.165Malicious
IP Address: 196.221.196.165Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 3 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Download and Execute SCP Outgoing Connection Listening Download and Allow Execution |
Associated Attack Servers |
6.211.106.146 22.238.92.113 36.69.131.107 49.252.92.48 56.130.214.104 69.44.105.130 76.105.225.80 77.48.5.6 101.43.154.209 102.126.26.129 109.248.199.207 119.91.91.82 123.132.238.210 124.221.119.17 152.136.145.180 171.1.25.1 173.18.35.41 207.137.229.156 210.193.237.105 222.165.136.99 |
IP Address |
196.221.196.165 |
|
Domain |
- |
|
ISP |
Vodafone Egypt |
|
Country |
Egypt |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-01 |
Last seen in Akamai Guardicore Segmentation |
2023-03-09 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 109 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.54.176.88:80, 1.54.176.88:8080, 101.43.154.209:1234, 102.126.26.129:2222, 104.21.25.86:443, 106.107.96.60:80, 106.107.96.60:8080, 109.248.199.207:22, 114.217.93.110:80, 114.217.93.110:8080, 119.49.127.6:80, 119.49.127.6:8080, 119.91.91.82:1234, 123.132.238.210:1234, 124.221.119.17:1234, 126.124.215.17:80, 126.124.215.17:8080, 131.7.223.71:80, 131.7.223.71:8080, 134.14.186.151:80, 134.14.186.151:8080, 136.158.171.182:80, 136.158.171.182:8080, 142.251.32.4:443, 142.46.28.66:80, 142.46.28.66:8080, 152.136.145.180:1234, 154.18.160.86:80, 154.18.160.86:8080, 155.35.213.63:80, 155.35.213.63:8080, 16.242.53.153:80, 16.242.53.153:8080, 170.216.99.141:80, 170.216.99.141:8080, 170.38.171.220:80, 170.38.171.220:8080, 171.1.25.1:22, 171.230.137.173:80, 171.230.137.173:8080, 173.18.35.41:1234, 174.245.108.121:80, 174.245.108.121:8080, 185.3.51.151:80, 185.3.51.151:8080, 20.100.170.160:80, 20.100.170.160:8080, 207.137.229.156:22, 210.193.237.105:80, 210.193.237.105:8080, 210.193.237.105:8090, 22.238.92.113:2222, 222.165.136.99:1234, 223.216.163.140:80, 223.216.163.140:8080, 240.2.239.168:80, 240.2.239.168:8080, 27.203.169.173:80, 27.203.169.173:8080, 42.120.39.248:80, 42.120.39.248:8080, 42.78.200.31:80, 42.78.200.31:8080, 47.109.33.57:80, 47.109.33.57:8080, 49.252.92.48:22, 51.75.146.174:443, 55.105.196.76:80, 55.105.196.76:8080, 56.130.214.104:22, 58.251.101.56:80, 58.251.101.56:8080, 59.212.133.193:80, 59.212.133.193:8080, 59.70.10.150:80, 59.70.10.150:8080, 6.211.106.146:22, 63.122.169.89:80, 63.122.169.89:8080, 68.10.6.187:80, 68.10.6.187:8080, 69.44.105.130:2222, 76.105.225.80:2222, 77.48.5.6:22, 8.8.8.8:443, 97.37.229.247:80 and 97.37.229.247:8080 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8080 and 8186 |
Listening |
Process /tmp/ifconfig attempted to access suspicious domains: e-mobile.ne.jp, mchsi.com, upc.cz and wcg.net |
Access Suspicious Domain Outgoing Connection |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|