IP Address: 201.160.56.97Previously Malicious
IP Address: 201.160.56.97Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
System File Modification Scheduled Task Creation Listening Executable File Modification Outgoing Connection DNS Query SCP New SSH Key Access Suspicious Domain Service Configuration Download and Execute Port 2222 Scan 8 Shell Commands Successful SSH Login Port 22 Scan SSH Download File Download and Allow Execution |
Associated Attack Servers |
btcentralplus.com bttracker.debian.org poneytelecom.eu 44.194.65.135 56.123.230.90 57.30.47.142 86.171.192.5 107.182.190.58 163.172.226.137 185.202.130.8 |
IP Address |
201.160.56.97 |
|
Domain |
- |
|
ISP |
izzi |
|
Country |
Mexico |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-15 |
Last seen in Akamai Guardicore Segmentation |
2022-06-12 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ***** - Authentication policy: Reached Max Attempts |
Successful SSH Login |
/usr/.work//.bash_history was downloaded |
Download File |
/usr/.work//config.json was downloaded |
Download File |
/usr/.work//heartalive.lock was downloaded |
Download File |
/usr/.work//secure.sh was downloaded |
Download File |
/usr/.work//tmp.f9F5g2gAHz was downloaded |
Download File |
/usr/.work//work64 was downloaded |
Download File |
The file /usr/.work/work64 was downloaded and executed 63 times |
Download and Execute |
Process /usr/.work/work64 started listening on ports: 14747, 43983 and 8011 |
Listening |
Executable file /usr/bin/wget1 was modified |
Executable File Modification |
The file /tmp/xmr was downloaded and executed 8 times |
Download and Execute |
Process /tmp/xmr attempted to access suspicious domains: poneytelecom.eu and xmr.crypto-pool.fr |
DNS Query Access Suspicious Domain Outgoing Connection |
System file /etc/rc.local was modified |
System File Modification |
System file /etc/crontab was modified |
System File Modification |
Process /tmp/xmr generated outgoing network traffic to: 163.172.226.137:6666 |
Outgoing Connection |
Process /usr/.work/work64 generated outgoing network traffic to: 10.32.0.136:22, 10.32.0.136:2222, 10.32.0.5:22, 10.32.0.5:2222, 114.229.117.20:22, 114.229.117.20:2222, 141.51.3.117:22, 141.51.3.117:2222, 165.180.35.202:22, 165.180.35.202:2222, 169.116.136.83:22, 169.116.136.83:2222, 173.1.99.189:22, 173.1.99.189:2222, 173.82.47.199:22, 173.82.47.199:2222, 183.229.142.245:22, 183.229.142.245:2222, 184.106.25.103:22, 184.106.25.103:2222, 188.113.55.60:22, 198.160.127.108:22, 198.160.127.108:2222, 20.16.205.246:22, 20.16.205.246:2222, 213.243.184.127:22, 213.243.184.127:2222, 223.96.56.230:22, 223.96.56.230:2222, 23.71.127.185:22, 23.71.127.185:2222, 44.194.65.135:50000, 51.212.15.49:22, 51.212.15.49:2222, 56.123.230.90:3389, 57.30.47.142:2002, 57.30.47.142:2022, 57.30.47.142:22, 57.30.47.142:222, 57.30.47.142:2222, 57.30.47.142:22222, 57.30.47.142:2223, 57.30.47.142:23, 57.30.47.142:2323, 57.30.47.142:2382, 57.30.47.142:26, 57.30.47.142:3389, 57.30.47.142:4118, 57.30.47.142:443, 57.30.47.142:444, 57.30.47.142:50000, 57.30.47.142:5555, 57.30.47.142:55554, 57.30.47.142:6000, 57.30.47.142:666, 57.30.47.142:7777, 57.30.47.142:8022, 57.30.47.142:830, 57.30.47.142:8888, 57.30.47.142:9000, 57.30.47.142:9090, 57.30.47.142:9999, 60.171.246.34:22, 60.171.246.34:2222, 63.197.28.5:22, 63.197.28.5:2222, 76.122.214.196:22, 76.122.214.196:2222, 76.131.198.60:22, 76.131.198.60:2222, 82.122.209.147:22, 86.171.192.5:2002, 86.171.192.5:2022, 86.171.192.5:22, 86.171.192.5:222, 86.171.192.5:2222, 86.171.192.5:22222, 86.171.192.5:2223, 86.171.192.5:2323, 86.171.192.5:2382, 86.171.192.5:26, 86.171.192.5:3389, 86.171.192.5:443, 86.171.192.5:444, 86.171.192.5:5555, 86.171.192.5:55554, 86.171.192.5:6000, 86.171.192.5:666, 86.171.192.5:7777, 86.171.192.5:8022, 86.171.192.5:830, 86.171.192.5:8888, 86.171.192.5:9000, 86.171.192.5:9090, 86.171.192.5:9999, 90.26.247.77:22, 90.26.247.77:2222, 93.156.210.102:22 and 93.156.210.102:2222 |
Outgoing Connection |
Process /usr/.work/work64 scanned port 22 on 26 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 2222 on 26 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 22 on 24 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 scanned port 2222 on 24 IP Addresses |
Port 22 Scan Port 2222 Scan |
Process /usr/.work/work64 attempted to access suspicious domains: btcentralplus.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/.work/work64 attempted to access domains: bttracker.debian.org, dht.transmissionbt.com, router.bittorrent.com and router.utorrent.com |
DNS Query |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |