IP Address: 216.83.54.244Previously Malicious
IP Address: 216.83.54.244Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation Successful SSH Login Download and Execute Download and Allow Execution |
Connect Back Servers |
11.83.184.71 13.132.242.100 20.103.18.42 31.101.14.124 36.36.210.134 36.41.224.49 36.131.76.83 37.46.142.247 48.234.141.48 52.236.133.183 54.38.175.232 70.153.51.36 80.147.162.151 82.156.210.15 101.42.237.46 103.16.70.245 103.52.147.126 121.35.177.211 137.116.163.130 143.13.9.176 148.185.247.4 157.189.212.104 161.234.244.147 172.4.166.28 185.221.155.38 190.14.48.123 202.61.203.229 209.126.84.239 219.251.147.143 |
IP Address |
216.83.54.244 |
|
Domain |
- |
|
ISP |
Ethr.Net LLC |
|
Country |
Hong Kong |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-23 |
Last seen in Akamai Guardicore Segmentation |
2022-04-23 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 212 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 103.120.223.29:1234, 11.133.38.134:2222, 111.7.82.200:1234, 112.128.197.123:80, 112.128.197.123:8080, 112.218.63.169:80, 112.218.63.169:8080, 117.50.3.175:1234, 121.148.40.39:22, 123.231.200.220:2222, 124.53.165.184:80, 124.53.165.184:8080, 125.176.61.192:80, 125.176.61.192:8080, 128.241.152.181:22, 129.53.222.74:80, 129.53.222.74:8080, 130.15.107.32:80, 130.15.107.32:8080, 130.48.196.27:80, 130.48.196.27:8080, 137.154.142.29:80, 137.154.142.29:8080, 14.189.81.49:2222, 159.4.116.174:80, 159.4.116.174:8080, 165.87.249.123:80, 165.87.249.123:8080, 172.177.130.116:2222, 178.111.61.209:80, 178.111.61.209:8080, 192.73.135.230:80, 192.73.135.230:8080, 194.20.113.8:22, 198.123.90.197:80, 198.123.90.197:8080, 199.19.29.192:80, 199.19.29.192:8080, 200.121.25.230:80, 200.121.25.230:8080, 202.84.102.10:80, 202.84.102.10:8080, 202.90.131.39:1234, 204.59.101.3:80, 204.59.101.3:8080, 212.47.164.225:2222, 23.239.14.3:22, 23.35.230.158:80, 23.35.230.158:8080, 24.88.84.226:80, 24.88.84.226:8080, 240.204.156.88:2222, 241.72.210.61:80, 241.72.210.61:8080, 244.54.69.202:22, 249.60.232.25:22, 250.4.83.88:80, 250.4.83.88:8080, 251.128.171.89:80, 251.128.171.89:8080, 251.217.96.107:80, 251.217.96.107:8080, 37.109.33.121:80, 37.109.33.121:8080, 41.231.127.5:1234, 42.50.126.193:80, 42.50.126.193:8080, 45.245.190.52:2222, 48.94.133.93:2222, 55.216.217.187:80, 55.216.217.187:8080, 6.247.43.128:2222, 69.168.249.43:22, 70.238.187.180:80, 70.238.187.180:8080, 72.235.16.100:80, 72.235.16.100:8080, 81.180.242.174:1234, 81.244.223.199:80, 81.244.223.199:8080, 82.156.179.219:1234, 82.195.151.130:80, 82.195.151.130:8080, 87.242.135.97:2222, 88.160.61.142:80, 88.160.61.142:8080, 98.141.32.124:80 and 98.141.32.124:8080 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8085 and 8184 |
Listening |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 80 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 2222 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 attempted to access suspicious domains: cultimording.org.uk |
Access Suspicious Domain Outgoing Connection |
Process /tmp/apache2 scanned port 2222 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
The file /tmp/php-fpm was downloaded and executed 50 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 48 times |
Download and Execute |
Connection was closed due to timeout |
|
/var/tmp/php-fpm |
SHA256: d9ee6cbbc40b3b337e3af157b14a1e7ac276c9f27c2efcd8daa21ded4bd810b6 |
2875940 bytes |