IP Address: 209.213.30.213Previously Malicious
IP Address: 209.213.30.213Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 2222 Scan Access Suspicious Domain Port 8080 Scan Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP 1 Shell Commands Listening |
Associated Attack Servers |
3.133.124.243 9.62.12.106 23.32.168.181 24.101.57.13 38.103.151.95 49.98.240.189 52.131.32.110 55.23.194.88 81.70.246.81 94.153.165.43 101.35.121.8 103.141.246.254 106.52.252.228 123.13.155.101 140.207.8.44 152.136.145.180 161.35.79.199 168.165.131.36 170.229.112.114 173.65.176.93 185.105.108.169 191.105.60.138 198.48.3.181 217.38.122.26 |
IP Address |
209.213.30.213 |
|
Domain |
- |
|
ISP |
Piedmont Rural Telephone Cooperative, Incorporated |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-28 |
Last seen in Akamai Guardicore Segmentation |
2022-04-03 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 101.35.121.8:1234, 104.21.25.86:443, 106.52.252.228:1234, 110.110.170.101:80, 110.110.170.101:8080, 111.242.238.186:80, 111.242.238.186:8080, 119.237.227.249:80, 119.237.227.249:8080, 121.50.181.105:80, 121.50.181.105:8080, 124.12.211.36:80, 124.12.211.36:8080, 129.212.52.221:80, 129.212.52.221:8080, 131.96.115.75:80, 131.96.115.75:8080, 140.207.8.44:22, 150.1.176.59:80, 150.1.176.59:8080, 154.66.61.156:80, 154.66.61.156:8080, 156.192.26.129:80, 156.192.26.129:8080, 159.156.57.10:80, 159.156.57.10:8080, 167.118.23.8:80, 167.118.23.8:8080, 169.18.3.196:2222, 172.222.245.231:80, 172.222.245.231:8080, 172.67.133.228:443, 173.128.120.153:80, 173.128.120.153:8080, 173.65.176.93:22, 180.236.32.196:80, 180.236.32.196:8080, 182.86.132.149:80, 182.86.132.149:8080, 188.106.132.66:80, 188.106.132.66:8080, 194.21.225.155:80, 194.21.225.155:8080, 194.236.21.161:80, 194.236.21.161:8080, 197.24.137.127:80, 197.24.137.127:8080, 198.48.3.181:22, 2.44.19.187:80, 2.44.19.187:8080, 201.52.145.111:2222, 213.210.91.142:80, 213.210.91.142:8080, 215.187.101.92:2222, 217.38.122.26:22, 217.50.64.227:80, 217.50.64.227:8080, 24.101.57.13:1234, 241.180.121.110:2222, 250.137.206.180:80, 250.137.206.180:8080, 251.41.94.100:2222, 26.251.151.113:80, 26.251.151.113:8080, 28.136.83.128:2222, 3.133.124.243:1234, 36.230.161.211:80, 36.230.161.211:8080, 37.210.217.44:2222, 42.169.250.148:2222, 52.131.32.110:1234, 60.210.125.153:2222, 65.247.246.19:80, 65.247.246.19:8080, 67.185.202.220:80, 67.185.202.220:8080, 70.147.220.45:2222, 74.188.36.164:80, 74.188.36.164:8080, 74.5.20.170:80, 74.5.20.170:8080, 75.168.126.48:80, 75.168.126.48:8080, 80.31.33.92:80, 80.31.33.92:8080, 81.70.246.81:1234, 84.113.35.190:2222 and 94.153.165.43:1234 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8080 and 8181 |
Listening |
Process /dev/shm/ifconfig attempted to access suspicious domains: cafenet.co.nz, kyivstar.net and zoominternet.net |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 2222 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|