IP Address: 211.224.208.91Malicious
IP Address: 211.224.208.91Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
1.116.153.164 13.87.67.199 15.116.78.151 17.81.39.224 42.194.138.246 64.227.132.175 84.193.29.122 111.53.11.130 117.104.29.170 175.202.202.116 187.152.229.236 |
IP Address |
211.224.208.91 |
|
Domain |
- |
|
ISP |
Korea Telecom |
|
Country |
Korea, Republic of |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-01 |
Last seen in Akamai Guardicore Segmentation |
2024-07-18 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 188 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 101.48.190.26:2222, 106.184.114.1:2222, 120.136.134.153:1234, 128.135.92.35:2222, 128.65.66.24:80, 128.65.66.24:8080, 130.118.93.248:80, 130.118.93.248:8080, 133.107.187.122:80, 133.107.187.122:8080, 139.45.44.91:80, 139.45.44.91:8080, 142.91.192.179:80, 142.91.192.179:8080, 145.75.177.188:22, 148.99.99.52:22, 149.111.38.145:80, 149.111.38.145:8080, 15.231.122.211:80, 15.231.122.211:8080, 154.35.75.188:80, 154.35.75.188:8080, 155.45.15.60:80, 155.45.15.60:8080, 163.203.1.16:80, 163.203.1.16:8080, 170.167.59.238:22, 177.74.162.96:2222, 183.44.132.233:80, 183.44.132.233:8080, 187.96.86.115:80, 187.96.86.115:8080, 192.11.1.100:2222, 194.10.141.232:80, 194.10.141.232:8080, 196.199.155.118:80, 196.199.155.118:8080, 196.78.137.102:80, 196.78.137.102:8080, 199.142.175.49:80, 199.142.175.49:8080, 200.89.201.236:80, 200.89.201.236:8080, 203.106.128.120:22, 210.180.136.219:2222, 212.132.49.35:80, 212.132.49.35:8080, 213.157.208.172:80, 213.157.208.172:8080, 214.249.185.72:80, 214.249.185.72:8080, 216.183.83.108:80, 216.183.83.108:8080, 220.226.86.138:80, 220.226.86.138:8080, 222.192.114.151:2222, 23.78.68.112:2222, 242.49.71.250:80, 242.49.71.250:8080, 242.83.155.88:22, 3.32.1.120:80, 3.32.1.120:8080, 31.184.235.20:2222, 43.171.33.109:2222, 45.94.161.190:80, 45.94.161.190:8080, 49.233.159.222:1234, 49.4.46.111:2222, 52.236.133.183:1234, 62.12.106.6:1234, 62.182.238.226:80, 62.182.238.226:8080, 63.81.17.194:22, 64.18.30.125:80, 64.18.30.125:8080, 68.130.47.167:80, 68.130.47.167:8080, 75.79.197.122:22, 81.180.242.174:1234, 82.157.131.41:1234, 88.161.41.202:80, 88.161.41.202:8080, 9.161.114.181:80, 9.161.114.181:8080, 91.194.64.90:80, 91.194.64.90:8080, 96.187.179.198:80 and 96.187.179.198:8080 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8087 and 8182 |
Listening |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan Port 2222 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan Port 2222 Scan |
Process /tmp/ifconfig scanned port 2222 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan Port 2222 Scan |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan Port 2222 Scan |
Process /tmp/ifconfig scanned port 80 on 11 IP Addresses |
Port 8080 Scan Port 80 Scan Port 2222 Scan |
Process /tmp/ifconfig attempted to access suspicious domains: cultimording.org.uk and dsnet |
Outgoing Connection Access Suspicious Domain |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan Port 2222 Scan |
Process /tmp/ifconfig scanned port 2222 on 32 IP Addresses |
Port 8080 Scan Port 80 Scan Port 2222 Scan |
Process /tmp/ifconfig scanned port 8080 on 11 IP Addresses |
Port 8080 Scan Port 80 Scan Port 2222 Scan |
Process /tmp/ifconfig scanned port 2222 on 11 IP Addresses |
Port 8080 Scan Port 80 Scan Port 2222 Scan |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 25 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 28 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 5 times |
Download and Execute |
Connection was closed due to timeout |
|