IP Address: 211.149.149.231Malicious
IP Address: 211.149.149.231Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Service Restart Successful SSH Login Listening Download and Execute Executable File Modification Scheduled Task Creation System File Modification Download and Allow Execution SSH Read Password Secrets Outgoing Connection New SSH Key |
Associated Attack Servers |
8.210.4.232 8.210.45.79 8.210.57.108 8.210.164.235 8.217.111.36 8.218.203.41 47.76.72.109 47.76.76.183 47.76.77.187 47.104.0.145 47.122.10.249 47.242.1.71 47.242.18.69 47.242.56.102 47.242.81.79 47.242.184.160 47.242.204.93 47.242.255.98 47.243.235.21 47.243.246.149 82.157.53.229 104.18.114.97 108.181.122.221 111.44.162.134 117.156.94.41 129.144.180.26 159.65.16.66 180.167.178.98 218.3.177.39 |
IP Address |
211.149.149.231 |
|
Domain |
- |
|
ISP |
- |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2023-12-09 |
Last seen in Akamai Guardicore Segmentation |
2024-02-26 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /usr/bin/wget generated outgoing network traffic to: 129.144.180.26:60107 |
Outgoing Connection |
System file /etc/crontab was modified 9 times |
System File Modification |
Executable file /usr/bin/wgbtx was modified |
Executable File Modification |
The file /tmp/btIDOCkBSz was downloaded and executed 16 times |
Download and Execute |
Process /tmp/btIDOCkBSz started listening on ports: 60132 |
Listening |
System file /etc/nshadow was modified 729 times |
System File Modification |
System file /etc/ssh/sshd_config was modified 4 times |
System File Modification |
Process /tmp/btIDOCkBSz generated outgoing network traffic to: 104.18.114.97:80, 108.181.122.221:60142, 111.44.162.134:60121, 117.156.94.41:60132, 129.144.180.26:60107, 159.65.16.66:60138, 180.167.178.98:60141, 211.149.149.231:60141, 218.3.177.39:60120, 220.203.22.243:60120, 47.104.0.145:60134, 47.122.10.249:60149, 47.242.1.71:60111, 47.242.18.69:60148, 47.242.184.160:60129, 47.242.204.93:60116, 47.242.255.98:60125, 47.242.56.102:60104, 47.242.81.79:60106, 47.243.235.21:60149, 47.243.246.149:60142, 47.76.72.109:60110, 47.76.76.183:60147, 47.76.77.187:60137, 8.210.164.235:60139, 8.210.4.232:60114, 8.210.45.79:60148, 8.210.57.108:60124, 8.217.111.36:60116, 8.218.203.41:60102 and 82.157.53.229:60111 |
Outgoing Connection |
The file /tmp/bash was downloaded and executed |
Download and Execute |
Process /lib/systemd/systemd started listening on ports: 22 |
Listening |
The file /tmp/8MqLpI6k84 was downloaded and executed 3 times |
Download and Execute |
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |
/tmp/klpi9yryiH |
SHA256: 1e2686c1a674630311fdab9b74df54605309076b6d2c3acb4dbc0e7c0080bfa4 |
2388660 bytes |
/tmp/bash |
SHA256: 2f38c57e20a9380211deddf28755a60b22953945b7aae73e68252be8cc13297a |
546616 bytes |
/tmp/8MqLpI6k84 |
SHA256: 8a29238ef597df9c34411e3524109546894b3cca67c2690f63c4fb53a433f4e3 |
2519872 bytes |