IP Address: 209.141.41.165Previously Malicious
IP Address: 209.141.41.165Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
13.253.71.150 23.118.170.185 35.253.73.40 39.101.241.185 42.231.30.127 50.7.86.202 55.84.16.108 59.3.186.45 82.163.214.12 87.54.123.195 95.71.205.141 97.85.141.27 101.35.168.159 103.210.89.99 115.73.193.224 122.88.187.116 148.198.34.136 162.171.198.76 176.243.157.124 187.6.3.3 221.209.212.186 251.20.183.43 |
IP Address |
209.141.41.165 |
|
Domain |
- |
|
ISP |
FranTech Solutions |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-26 |
Last seen in Akamai Guardicore Segmentation |
2022-04-04 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
./ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 204 times |
Download and Execute |
Process /root/apache2 scanned port 22 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 22 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 80 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 generated outgoing network traffic to: 1.93.251.35:80, 1.93.251.35:8080, 101.128.1.181:80, 101.128.1.181:8080, 101.192.49.220:80, 101.192.49.220:8080, 101.42.225.97:1234, 102.248.116.10:2222, 104.21.25.86:443, 109.234.137.14:80, 109.234.137.14:8080, 111.179.154.211:80, 111.179.154.211:8080, 114.132.230.151:1234, 116.150.138.5:80, 116.150.138.5:8080, 117.146.172.106:1234, 119.125.239.217:80, 119.125.239.217:8080, 120.236.69.162:1234, 133.198.2.44:22, 141.61.214.54:2222, 142.251.32.4:443, 145.229.39.234:80, 145.229.39.234:8080, 152.9.203.184:22, 155.165.127.181:80, 155.165.127.181:8080, 159.184.20.118:2222, 16.122.153.59:80, 16.122.153.59:8080, 171.209.152.214:22, 172.67.133.228:443, 177.116.124.199:80, 177.116.124.199:8080, 182.106.34.248:80, 182.106.34.248:8080, 186.76.43.149:80, 186.76.43.149:8080, 189.130.149.205:80, 189.130.149.205:8080, 195.201.179.90:80, 195.201.179.90:8080, 199.140.63.216:80, 199.140.63.216:8080, 199.249.144.41:80, 199.249.144.41:8080, 2.151.175.102:80, 2.151.175.102:8080, 2.174.147.222:80, 2.174.147.222:8080, 20.160.119.143:22, 208.17.57.135:80, 208.17.57.135:8080, 209.123.104.3:22, 212.141.45.9:80, 212.141.45.9:8080, 214.179.248.130:80, 214.179.248.130:8080, 221.63.159.129:80, 221.63.159.129:8080, 24.4.154.174:80, 24.4.154.174:8080, 241.120.3.23:80, 241.120.3.23:8080, 247.154.22.10:2222, 250.158.133.40:80, 250.158.133.40:8080, 3.5.233.162:22, 42.231.63.152:1234, 42.74.192.57:80, 42.74.192.57:8080, 45.130.147.8:1234, 51.75.146.174:443, 74.156.243.41:22, 77.62.126.131:80, 77.62.126.131:8080, 82.189.145.54:80, 82.189.145.54:8080, 83.20.24.178:22, 89.18.207.164:80, 89.18.207.164:8080, 90.125.235.156:22, 93.176.229.145:1234, 96.214.155.26:80, 96.214.155.26:8080, 99.101.36.106:80, 99.101.36.106:8080 and 99.23.17.181:2222 |
Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8081 and 8185 |
Listening |
Process /root/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 attempted to access suspicious domains: adsl, sbcglobal.net, sileman.net.pl, telkomadsl.co.za and zcrtyshop.club |
Access Suspicious Domain Outgoing Connection |
The file /root/php-fpm was downloaded and executed 31 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 13 times |
Download and Execute |
Connection was closed due to timeout |
|