IP Address: 217.96.143.176Previously Malicious
IP Address: 217.96.143.176Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
cultimording.org.uk ovo.sc telenet.be 32.89.111.167 36.77.94.79 45.11.19.163 47.37.138.79 47.107.112.155 49.236.192.106 81.109.39.227 84.193.29.122 94.26.175.135 94.80.94.243 99.240.241.104 103.111.211.61 107.46.219.11 107.173.84.130 121.172.55.148 123.149.169.113 135.181.104.81 141.147.52.70 148.251.245.50 155.23.175.94 167.156.122.249 168.212.106.139 185.10.68.181 202.90.131.38 204.218.28.110 207.1.131.161 212.57.36.20 220.243.148.8 |
IP Address |
217.96.143.176 |
|
Domain |
- |
|
ISP |
Neostrada Plus |
|
Country |
Poland |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-17 |
Last seen in Akamai Guardicore Segmentation |
2022-04-23 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 238 times |
Download and Execute |
Process /root/ifconfig scanned port 22 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 22 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.244.126.21:22, 103.120.223.29:1234, 106.98.74.9:22, 107.19.226.42:22, 109.215.111.122:80, 109.215.111.122:8080, 110.175.157.216:22, 112.169.75.74:80, 112.169.75.74:8080, 113.219.220.213:80, 113.219.220.213:8080, 119.31.180.224:80, 119.31.180.224:8080, 12.10.23.197:2222, 121.159.224.17:2222, 122.159.103.188:2222, 122.251.192.57:80, 122.251.192.57:8080, 123.125.168.244:2222, 129.42.221.140:2222, 131.226.147.242:80, 131.226.147.242:8080, 135.210.144.196:80, 135.210.144.196:8080, 135.5.211.180:22, 138.185.103.242:80, 138.185.103.242:8080, 145.130.118.116:80, 145.130.118.116:8080, 145.159.219.246:80, 145.159.219.246:8080, 152.59.121.67:80, 152.59.121.67:8080, 156.153.114.57:80, 156.153.114.57:8080, 156.94.200.251:80, 156.94.200.251:8080, 157.92.153.149:22, 17.159.237.189:80, 17.159.237.189:8080, 170.7.23.134:80, 170.7.23.134:8080, 172.66.48.203:80, 172.66.48.203:8080, 173.82.48.12:1234, 175.190.236.236:80, 175.190.236.236:8080, 179.193.20.229:2222, 197.229.178.82:80, 197.229.178.82:8080, 205.53.220.198:80, 205.53.220.198:8080, 209.55.105.226:80, 209.55.105.226:8080, 210.33.251.29:2222, 216.237.62.62:80, 216.237.62.62:8080, 22.93.130.243:80, 22.93.130.243:8080, 220.243.148.80:1234, 223.192.161.226:2222, 243.103.1.221:22, 247.52.205.238:80, 247.52.205.238:8080, 27.158.198.96:80, 27.158.198.96:8080, 31.169.25.190:1234, 42.152.51.203:22, 5.188.79.92:1234, 54.25.98.253:80, 54.25.98.253:8080, 57.44.143.97:80, 57.44.143.97:8080, 59.173.183.107:1234, 64.227.132.175:1234, 65.219.1.241:22, 65.243.95.53:80, 65.243.95.53:8080, 76.59.180.133:80, 76.59.180.133:8080, 77.178.215.220:80, 77.178.215.220:8080, 89.158.8.191:80, 89.158.8.191:8080, 9.69.46.191:80, 9.69.46.191:8080, 95.44.122.245:80 and 95.44.122.245:8080 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8082 and 8186 |
Listening |
Process /root/ifconfig attempted to access suspicious domains: veloxzone.com.br and yhsrv.com |
Access Suspicious Domain Outgoing Connection |
Process /root/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 39 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 19 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 43 times |
Download and Execute |
Connection was closed due to timeout |
|
/var/tmp/php-fpm |
SHA256: d9ee6cbbc40b3b337e3af157b14a1e7ac276c9f27c2efcd8daa21ded4bd810b6 |
2875940 bytes |