IP Address: 202.164.39.146Malicious
IP Address: 202.164.39.146Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
aerodromsolutions.tech cultimording.org.uk sileman.net.pl vorboss.net 26.38.132.106 37.242.126.41 82.50.83.36 82.163.214.12 85.198.254.49 87.154.222.34 101.112.154.65 111.53.11.130 116.31.107.208 123.211.210.95 124.221.122.219 147.182.233.56 148.71.144.13 153.92.221.1 158.123.18.222 169.252.252.41 180.204.143.164 246.67.194.41 247.21.205.79 |
IP Address |
202.164.39.146 |
|
Domain |
- |
|
ISP |
Quadrant Televentures Limited |
|
Country |
India |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-12-24 |
Last seen in Akamai Guardicore Segmentation |
2024-05-01 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 200 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 107.125.205.199:80, 107.125.205.199:8080, 112.219.101.111:22, 116.225.43.137:1234, 119.91.140.230:1234, 121.37.209.144:22, 124.222.238.185:1234, 124.40.131.66:80, 124.40.131.66:8080, 125.224.224.112:80, 125.224.224.112:8080, 135.239.97.219:2222, 137.3.194.203:2222, 143.211.172.238:2222, 143.218.127.149:22, 146.51.15.104:2222, 147.33.147.89:80, 147.33.147.89:8080, 15.27.34.170:2222, 152.214.182.209:2222, 158.59.190.238:80, 158.59.190.238:8080, 159.133.223.216:80, 159.133.223.216:8080, 160.120.132.60:80, 160.120.132.60:8080, 172.218.10.247:80, 172.218.10.247:8080, 173.104.150.173:22, 176.160.206.6:80, 176.160.206.6:8080, 177.164.25.118:2222, 183.129.80.140:80, 183.129.80.140:8080, 183.44.221.204:80, 183.44.221.204:8080, 185.210.144.122:1234, 187.94.88.87:80, 187.94.88.87:8080, 188.117.168.143:80, 188.117.168.143:8080, 192.171.47.162:80, 192.171.47.162:8080, 20.58.184.140:1234, 218.168.10.109:80, 218.168.10.109:8080, 249.100.207.1:80, 249.100.207.1:8080, 249.115.47.8:2222, 251.85.250.206:80, 251.85.250.206:8080, 29.198.13.58:80, 29.198.13.58:8080, 30.128.134.49:2222, 30.182.30.166:22, 31.149.110.14:80, 31.149.110.14:8080, 34.249.98.198:22, 36.92.125.163:1234, 4.82.133.157:80, 4.82.133.157:8080, 44.78.207.231:80, 44.78.207.231:8080, 49.100.12.36:80, 49.100.12.36:8080, 53.81.71.252:80, 53.81.71.252:8080, 55.84.216.124:80, 55.84.216.124:8080, 56.48.97.33:80, 56.48.97.33:8080, 60.7.232.237:80, 60.7.232.237:8080, 61.186.87.96:80, 61.186.87.96:8080, 7.205.58.251:80, 7.205.58.251:8080, 70.145.108.63:80, 70.145.108.63:8080, 70.22.218.88:80, 70.22.218.88:8080, 74.170.194.227:80, 74.170.194.227:8080, 81.70.246.178:1234, 83.42.138.103:2222, 97.164.212.213:80, 97.164.212.213:8080 and 98.160.27.56:22 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8085 and 8187 |
Listening |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 2222 Scan Port 8080 Scan Port 80 Scan |
Process /tmp/apache2 scanned port 80 on 10 IP Addresses |
Port 2222 Scan Port 8080 Scan Port 80 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 2222 Scan Port 8080 Scan Port 80 Scan |
Process /tmp/apache2 scanned port 2222 on 32 IP Addresses 2 times |
Port 2222 Scan Port 8080 Scan Port 80 Scan |
Process /tmp/apache2 attempted to access suspicious domains: hwclouds-dns.com and srasia-great.com |
Access Suspicious Domain Outgoing Connection |
Process /tmp/apache2 scanned port 8080 on 10 IP Addresses |
Port 2222 Scan Port 8080 Scan Port 80 Scan |
Process /tmp/apache2 scanned port 2222 on 10 IP Addresses |
Port 2222 Scan Port 8080 Scan Port 80 Scan |
The file /tmp/php-fpm was downloaded and executed 53 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 33 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 5 times |
Download and Execute |
Connection was closed due to timeout |
|
/var/tmp/php-fpm |
SHA256: d9ee6cbbc40b3b337e3af157b14a1e7ac276c9f27c2efcd8daa21ded4bd810b6 |
2875940 bytes |