IP Address: 20.205.236.165Previously Malicious
IP Address: 20.205.236.165Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
3.101.150.145 5.161.42.72 14.35.205.157 24.32.65.138 40.211.247.11 46.141.84.187 56.99.232.84 78.92.170.193 81.72.132.98 89.171.153.114 101.43.115.47 101.43.201.124 139.148.27.150 153.122.122.8 164.225.155.32 174.204.135.182 187.157.83.19 197.100.235.82 207.66.238.179 |
IP Address |
20.205.236.165 |
|
Domain |
- |
|
ISP |
- |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-01 |
Last seen in Akamai Guardicore Segmentation |
2022-04-03 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 101.43.115.47:1234, 101.43.201.124:1234, 104.21.25.86:443, 105.227.98.144:80, 105.227.98.144:8080, 107.12.106.70:80, 107.12.106.70:8080, 107.201.20.234:80, 107.201.20.234:8080, 11.57.164.1:80, 11.57.164.1:8080, 113.165.217.112:80, 113.165.217.112:8080, 113.235.35.22:80, 113.235.35.22:8080, 139.148.27.150:1234, 139.50.245.189:80, 139.50.245.189:8080, 139.67.143.55:80, 139.67.143.55:8080, 14.35.205.157:1234, 141.31.32.20:80, 141.31.32.20:8080, 142.250.190.36:443, 146.117.82.209:80, 146.117.82.209:8080, 148.182.74.182:80, 148.182.74.182:8080, 153.122.122.8:80, 153.122.122.8:8080, 153.122.122.8:8090, 16.239.141.206:80, 16.239.141.206:8080, 164.225.155.32:2222, 172.167.250.168:80, 172.167.250.168:8080, 172.67.133.228:443, 174.204.135.182:2222, 180.175.105.225:80, 180.175.105.225:8080, 187.157.83.19:22, 187.228.46.3:80, 187.228.46.3:8080, 196.235.99.205:80, 196.235.99.205:8080, 197.100.235.82:22, 197.164.174.204:80, 197.164.174.204:8080, 207.66.238.179:22, 218.58.51.144:80, 218.58.51.144:8080, 218.58.53.174:80, 218.58.53.174:8080, 220.219.34.153:80, 220.219.34.153:8080, 24.32.65.138:1234, 247.61.176.220:80, 247.61.176.220:8080, 250.65.86.120:80, 250.65.86.120:8080, 3.101.150.145:22, 40.211.247.11:2222, 41.179.95.23:80, 41.179.95.23:8080, 42.4.111.13:80, 42.4.111.13:8080, 44.222.179.213:80, 44.222.179.213:8080, 46.141.84.187:80, 46.141.84.187:8080, 46.141.84.187:8090, 5.161.42.72:1234, 50.171.7.10:80, 50.171.7.10:8080, 51.75.146.174:443, 56.99.232.84:22, 73.85.214.100:80, 73.85.214.100:8080, 77.98.87.154:80, 77.98.87.154:8080, 78.92.170.193:1234, 8.8.8.8:443, 81.72.132.98:2222, 86.117.146.167:80, 86.117.146.167:8080, 89.171.153.114:2222, 90.101.192.177:80 and 90.101.192.177:8080 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8089 and 8181 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: myvzw.com, netia.com.pl, ptrcloud.net and uninet-ide.com.mx |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|