IP Address: 217.66.20.140Previously Malicious
IP Address: 217.66.20.140Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection Access Suspicious Domain Listening |
Associated Attack Servers |
15.116.78.151 20.141.185.205 42.137.134.91 43.186.185.162 81.70.92.205 83.84.66.226 83.181.253.48 89.108.112.244 101.193.103.66 102.206.73.61 120.53.123.221 133.95.253.8 150.158.76.27 152.136.255.57 156.206.77.219 166.127.229.86 168.195.197.125 200.30.201.179 200.72.10.232 202.69.20.90 208.7.194.17 222.165.136.99 |
IP Address |
217.66.20.140 |
|
Domain |
- |
|
ISP |
MTS PJSC |
|
Country |
Russian Federation |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-02-28 |
Last seen in Akamai Guardicore Segmentation |
2022-04-16 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 100.180.146.88:80, 100.180.146.88:8080, 101.193.103.66:2222, 102.206.73.61:2222, 103.210.47.162:80, 103.210.47.162:8080, 104.21.25.86:443, 105.163.42.144:80, 105.163.42.144:8080, 107.18.66.128:80, 107.18.66.128:8080, 107.28.222.180:80, 107.28.222.180:8080, 109.128.84.90:80, 109.128.84.90:8080, 109.98.6.180:80, 109.98.6.180:8080, 120.53.123.221:1234, 125.195.110.17:80, 125.195.110.17:8080, 129.210.134.208:80, 129.210.134.208:8080, 133.95.253.8:22, 142.122.175.104:80, 142.122.175.104:8080, 145.128.2.149:80, 145.128.2.149:8080, 15.116.78.151:1234, 150.158.76.27:1234, 151.206.22.161:80, 151.206.22.161:8080, 152.136.255.57:1234, 156.206.77.219:2222, 166.127.229.86:22, 168.195.197.125:2222, 172.67.133.228:443, 176.75.78.160:80, 176.75.78.160:8080, 180.43.253.58:80, 180.43.253.58:8080, 184.231.49.156:80, 184.231.49.156:8080, 20.141.185.205:1234, 200.30.201.179:22, 200.72.10.232:2222, 202.69.20.90:2222, 208.7.194.17:2222, 21.66.185.122:80, 21.66.185.122:8080, 218.69.76.197:80, 218.69.76.197:8080, 222.165.136.99:1234, 252.122.181.75:80, 252.122.181.75:8080, 27.161.234.34:80, 27.161.234.34:8080, 40.138.200.133:80, 40.138.200.133:8080, 41.233.25.219:80, 41.233.25.219:8080, 42.137.134.91:2222, 43.186.185.162:22, 44.60.9.233:80, 44.60.9.233:8080, 47.214.198.242:80, 47.214.198.242:8080, 51.189.174.249:80, 51.189.174.249:8080, 51.199.217.64:80, 51.199.217.64:8080, 51.75.146.174:443, 53.9.59.107:80, 53.9.59.107:8080, 54.243.151.93:80, 54.243.151.93:8080, 63.226.175.160:80, 63.226.175.160:8080, 65.187.64.23:80, 65.187.64.23:8080, 68.89.79.86:80, 68.89.79.86:8080, 7.211.40.185:80, 7.211.40.185:8080, 81.70.92.205:1234, 83.181.253.48:22, 83.84.66.226:2222, 89.108.112.244:22, 96.70.210.18:80 and 96.70.210.18:8080 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8088 and 8185 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 attempted to access suspicious domains: agava.net and tele2.hr |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|