IP Address: 222.134.240.91Malicious
IP Address: 222.134.240.91Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation SCP Download File Download and Allow Execution Successful SSH Login Download and Execute |
Associated Attack Servers |
af.mil bezeqint.net ciphertel.com cultimording.org.uk hostoweb.com infolink.ru kj4l3yh8.cn onvol.net qwest.net sercomtel.com.br tpnet.pl upc.nl zcrtyshop.club 1.13.18.11 1.14.166.163 1.15.13.216 3.133.124.243 3.233.198.101 5.31.72.58 5.74.149.12 5.161.42.72 5.227.65.226 7.163.193.177 8.61.57.213 8.111.7.183 12.23.46.220 12.30.158.150 13.82.215.148 14.185.205.46 17.220.101.106 17.235.251.248 18.145.208.20 18.224.203.152 20.58.184.140 20.213.160.64 22.85.190.183 23.99.105.199 24.32.65.138 24.101.57.13 24.233.26.241 26.93.211.104 26.174.89.217 26.243.63.218 |
IP Address |
222.134.240.91 |
|
Domain |
- |
|
ISP |
China Unicom Shandong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-12-31 |
Last seen in Akamai Guardicore Segmentation |
2024-06-22 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 4 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 22 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 153 times |
Download and Execute |
Process /root/apache2 scanned port 1234 on 37 IP Addresses |
Port 1234 Scan |
Process /var/tmp/apache2 scanned port 1234 on 37 IP Addresses 2 times |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 37 IP Addresses |
Port 1234 Scan |
Process /etc/apache2 scanned port 1234 on 37 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig scanned port 1234 on 37 IP Addresses |
Port 1234 Scan |
Process /etc/ifconfig scanned port 1234 on 37 IP Addresses 2 times |
Port 1234 Scan Port 80 Scan |
Process /etc/ifconfig scanned port 1234 on 36 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /etc/ifconfig scanned port 80 on 37 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /root/apache2 started listening on ports: 1234, 8086 and 8189 |
Listening |
The file /var/tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 76 times |
Download and Execute |
Process /var/tmp/apache2 started listening on ports: 1234, 8088 and 8182 |
Listening |
Process /var/tmp/apache2 generated outgoing network traffic to: 101.35.198.225:1234, 120.224.143.251:1234, 148.71.35.230:1234, 157.245.137.18:1234, 182.224.177.33:1234, 209.216.177.158:1234, 31.14.115.42:1234, 85.105.82.39:1234 and 85.51.24.68:1234 |
|
The file /var/tmp/ifconfig was downloaded and executed 3 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 111 times |
Download and Execute |
Process /var/tmp/apache2 started listening on ports: 1234, 8085 and 8189 |
Listening |
The file /root/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 88 times |
Download and Execute |
Process /root/apache2 started listening on ports: 1234, 8080 and 8187 |
Listening |
The file /etc/ifconfig was downloaded and executed 5 times |
Download and Execute |
Process /etc/apache2 started listening on ports: 1234, 8084 and 8182 |
Listening |
The file /etc/apache2 was downloaded and executed 90 times |
Download and Execute |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 104 times |
Download and Execute |
Process /root/ifconfig started listening on ports: 1234, 8088 and 8180 |
Listening |
Process /etc/apache2 generated outgoing network traffic to: 213.255.16.156:1234 |
|
Process /root/ifconfig generated outgoing network traffic to: 169.254.85.1:1234 |
|
The file /etc/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 129 times |
Download and Execute |
Process /etc/ifconfig started listening on ports: 1234, 8085 and 8186 |
Listening |
The file /etc/apache2 was downloaded and executed 317 times |
Download and Execute |
Process /etc/ifconfig generated outgoing network traffic to: 120.236.74.234:1234, 121.199.57.14:1234, 187.6.3.3:1234 and 62.12.106.6:1234 |
|
The file /etc/ifconfig was downloaded and executed 3 times |
Download and Execute |
Process /etc/ifconfig started listening on ports: 1234, 8081 and 8189 |
Listening |
Process /etc/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.220.98.197:1234, 103.105.12.48:1234, 105.200.105.88:80, 105.205.94.83:80, 117.80.212.33:1234, 118.218.209.149:1234, 120.224.143.251:1234, 120.236.69.162:1234, 121.199.57.14:1234, 126.227.186.52:80, 13.36.151.196:1234, 130.160.240.241:80, 130.80.121.227:80, 134.194.171.96:80, 139.112.9.213:80, 139.59.135.142:1234, 144.251.28.74:80, 147.182.233.56:1234, 156.108.121.171:80, 157.245.137.18:1234, 16.15.167.78:80, 162.93.20.242:80, 164.159.135.55:80, 17.160.26.119:80, 17.248.38.244:80, 171.251.109.165:80, 178.140.136.178:1234, 178.73.213.80:80, 179.40.167.148:80, 180.22.160.182:80, 182.156.76.11:80, 188.104.206.62:80, 191.242.188.103:1234, 193.91.102.76:80, 199.165.17.138:80, 2.52.136.145:80, 217.85.239.81:1234, 222.165.136.99:1234, 247.220.153.156:80, 248.10.69.195:80, 31.14.115.42:1234, 36.112.152.152:1234, 37.188.220.65:80, 37.221.204.2:80, 39.31.87.171:80, 46.173.4.208:80, 5.28.139.161:1234, 53.29.193.112:80, 59.1.226.211:1234, 61.102.42.5:1234, 62.195.2.68:1234, 74.198.244.116:80, 76.210.81.161:80, 82.66.109.74:1234, 84.16.224.173:1234, 85.51.217.156:1234, 87.129.56.141:80, 88.63.191.164:80, 89.116.162.242:80, 89.212.123.191:1234 and 93.106.64.157:80 |
Outgoing Connection |
Process /etc/ifconfig scanned port 80 on 36 IP Addresses |
Port 1234 Scan Port 80 Scan |
Connection was closed due to user inactivity |
|
/etc/ifconfig |
SHA256: 01d2abd180e3e0b934f7ec18ed7e10077011330827b58bec9c3cf5eea93ba215 |
622592 bytes |
/var/tmp/ifconfig |
SHA256: 2fd96aa6470f930f543ef665fcc62ffa4dfe6646b8f506c11b452a191800285b |
2392064 bytes |
/var/tmp/ifconfig |
SHA256: 331f1ead3df8fed58ccf68da781f34b2f228a5c37f3bb245b836a4b49b1cf269 |
557056 bytes |
/var/tmp/ifconfig |
SHA256: 35b110f66523d2471be5b955bff5de91626218640b178a5b1a688c8f5ca175b7 |
524288 bytes |
/var/tmp/ifconfig |
SHA256: 550307921085269ac7b53b3492fbffd8dc7bb9deaee1b26d433b3ebb40282384 |
2195456 bytes |
/var/tmp/ifconfig |
SHA256: 6ee5b0eadb32669e495a5d4157119d3a8248235f0b3e21084070fb6bb45ca89e |
950272 bytes |
/var/tmp/ifconfig |
SHA256: 7a151a737f5235637e5c8330427003eec1f39e4a1e8d16bf5c7e63e6585d50ce |
819200 bytes |
/var/tmp/ifconfig |
SHA256: 80d3ecae96d9f7728ff6a39a2c057a6a6eb0a955742e379629c9f3803b00af4b |
2758160 bytes |
/var/tmp/ifconfig |
SHA256: 81f5000fcd9f3bd2888827dbdcf11b4ed6b964ad379dd78bae907460824533eb |
786432 bytes |
/var/tmp/ifconfig |
SHA256: 861921d16b4f8870dda3d79aecaa828b713b8e41b29ec977aca10c236356144e |
1507328 bytes |
/root/ifconfig |
SHA256: 8a53c1d12942d21d2876a4b8d1eeed8a33a4a9d9f6d1ff3474980278e76a7cc9 |
1310720 bytes |