IP Address: 221.1.215.98Previously Malicious
IP Address: 221.1.215.98Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation Successful SSH Login Download and Execute Download and Allow Execution |
Associated Attack Servers |
3.110.236.209 11.226.108.202 14.117.34.39 23.133.43.2 39.5.91.184 39.99.60.12 42.122.61.80 69.23.202.5 74.127.17.159 79.52.130.57 82.58.72.21 82.156.179.219 117.196.25.161 119.244.60.127 124.92.9.9 132.226.241.121 185.10.68.181 245.161.199.230 248.87.44.149 249.13.40.11 |
IP Address |
221.1.215.98 |
|
Domain |
- |
|
ISP |
China Unicom Shandong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-13 |
Last seen in Akamai Guardicore Segmentation |
2022-07-24 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 191 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 101.33.203.161:1234, 101.42.90.177:1234, 104.21.25.86:443, 105.214.81.167:80, 105.214.81.167:8080, 106.52.252.228:1234, 111.225.64.135:2222, 113.84.34.120:80, 113.84.34.120:8080, 116.34.117.84:80, 116.34.117.84:8080, 118.209.95.174:80, 118.209.95.174:8080, 121.48.150.103:80, 121.48.150.103:8080, 131.101.98.72:22, 131.248.52.74:80, 131.248.52.74:8080, 134.130.105.196:80, 134.130.105.196:8080, 149.87.8.55:80, 149.87.8.55:8080, 152.84.76.127:80, 152.84.76.127:8080, 159.75.135.54:1234, 160.159.84.23:80, 160.159.84.23:8080, 160.44.60.76:80, 160.44.60.76:8080, 162.44.183.36:22, 169.46.45.54:2222, 17.142.78.2:80, 17.142.78.2:8080, 172.67.133.228:443, 173.143.247.46:22, 19.237.102.235:80, 19.237.102.235:8080, 193.216.253.139:2222, 194.94.110.250:80, 194.94.110.250:8080, 195.123.55.19:80, 195.123.55.19:8080, 195.75.2.111:80, 195.75.2.111:8080, 199.71.93.187:80, 199.71.93.187:8080, 2.251.29.145:80, 2.251.29.145:8080, 20.122.67.178:80, 20.122.67.178:8080, 201.243.43.130:80, 201.243.43.130:8080, 207.152.123.123:2222, 222.165.136.99:1234, 240.161.11.64:2222, 244.46.240.190:2222, 28.212.186.37:80, 28.212.186.37:8080, 28.35.146.176:22, 3.24.103.199:80, 3.24.103.199:8080, 31.152.69.56:80, 31.152.69.56:8080, 32.223.249.61:80, 32.223.249.61:8080, 35.144.228.118:80, 35.144.228.118:8080, 36.177.95.114:80, 36.177.95.114:8080, 4.110.9.222:80, 4.110.9.222:8080, 42.193.193.33:1234, 51.75.146.174:443, 52.103.206.162:80, 52.103.206.162:8080, 52.166.116.190:22, 59.2.46.146:2222, 63.229.57.159:80, 63.229.57.159:8080, 77.239.12.152:80, 77.239.12.152:8080, 79.131.230.72:80, 79.131.230.72:8080, 82.241.166.155:2222, 84.193.29.122:1234, 85.200.5.208:2222, 90.76.215.202:22, 94.48.185.175:80 and 94.48.185.175:8080 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8085 and 8186 |
Listening |
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /root/ifconfig attempted to access suspicious domains: bkkb.no, proxad.net, sl-reverse.com and wanadoo.fr |
Access Suspicious Domain Outgoing Connection |
The file /root/php-fpm was downloaded and executed 6 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 16 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 13 times |
Download and Execute |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 5 times |
Download and Execute |
Connection was closed due to timeout |
|