IP Address: 223.171.91.136Previously Malicious
IP Address: 223.171.91.136Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation SCP Download File Successful SSH Login Download and Execute |
Associated Attack Servers |
105.135.162.173 124.223.14.100 156.250.125.176 172.64.110.32 172.64.111.32 172.64.200.11 172.64.201.11 209.216.177.158 209.216.177.238 |
IP Address |
223.171.91.136 |
|
Domain |
- |
|
ISP |
LG Uplus |
|
Country |
Korea, Republic of |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-05-11 |
Last seen in Akamai Guardicore Segmentation |
2022-10-27 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 5 times |
Successful SSH Login |
/tmp/ifconfig was downloaded |
Download File |
./ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 8 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 4 times |
Download and Execute |
Process /root/ifconfig scanned port 1234 on 51 IP Addresses |
Port 1234 Scan |
Process /bin/nc.openbsd scanned port 1234 on 51 IP Addresses |
Port 1234 Scan |
Process /var/tmp/apache2 scanned port 1234 on 51 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig scanned port 1234 on 51 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /root/ifconfig scanned port 1234 on 16 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /root/ifconfig scanned port 80 on 51 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /usr/sbin/sshd scanned port 1234 on 51 IP Addresses |
Port 1234 Scan |
Process /etc/apache2 scanned port 1234 on 51 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig generated outgoing network traffic to: 103.105.12.48:1234, 117.16.44.111:1234, 117.80.212.33:1234, 150.107.95.20:1234, 161.35.79.199:1234, 172.64.200.11:443, 172.64.201.11:443, 173.18.35.41:1234, 183.213.26.13:1234, 184.83.112.246:1234, 185.210.144.122:1234, 190.12.120.30:1234, 190.60.239.44:1234, 191.242.182.210:1234, 209.216.177.158:1234, 222.100.124.62:1234, 222.103.98.58:1234, 222.134.240.92:1234, 222.165.136.99:1234, 223.171.91.149:1234, 31.19.237.170:1234, 39.175.68.100:1234, 45.120.216.114:1234, 49.233.159.222:1234, 51.75.146.174:443, 80.147.162.151:1234, 82.66.5.84:1234, 84.204.148.99:1234, 86.133.233.66:1234 and 89.212.123.191:1234 |
Outgoing Connection |
The file /root/apache2 was downloaded and executed 255 times |
Download and Execute |
Process /root/ifconfig started listening on ports: 1234, 8085 and 8187 |
Listening |
The file /var/tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 19 times |
Download and Execute |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 969 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 101.134.222.96:80, 103.152.118.20:1234, 103.90.177.102:1234, 111.53.11.130:1234, 113.14.165.107:80, 116.226.194.51:80, 117.54.14.169:1234, 117.80.212.33:1234, 118.41.204.72:1234, 120.236.78.194:1234, 120.31.133.162:1234, 124.223.14.100:1234, 142.250.190.4:443, 147.182.233.56:1234, 161.70.98.32:1234, 167.74.163.237:80, 172.64.200.11:443, 172.64.201.11:443, 173.18.35.41:1234, 182.224.177.56:1234, 184.83.112.246:1234, 190.12.120.30:1234, 190.138.240.233:1234, 190.60.239.44:1234, 191.242.182.210:1234, 20.141.185.205:1234, 205.116.56.91:80, 206.189.25.255:1234, 212.57.36.20:1234, 215.178.217.16:80, 218.75.118.136:80, 220.243.148.80:1234, 222.100.124.62:1234, 222.121.63.87:1234, 241.136.249.151:80, 253.131.58.42:80, 27.69.236.62:80, 4.188.151.64:80, 45.120.216.114:1234, 49.233.159.222:1234, 51.159.19.47:1234, 51.75.146.174:443, 60.206.77.132:80, 61.84.162.66:1234, 66.208.201.125:80, 76.35.56.72:80, 84.204.148.99:1234, 85.105.82.39:1234, 86.220.30.252:80, 89.175.23.53:80, 89.212.123.191:1234, 94.153.165.43:1234 and 95.154.21.210:1234 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8080 and 8188 |
Listening |
System file /etc/ifconfig was modified 9 times |
System File Modification |
System file /etc/apache2 was modified 4 times |
System File Modification |
The file /etc/ifconfig was downloaded and executed |
Download and Execute |
The file /etc/apache2 was downloaded and granted execution privileges |
|
Process /etc/apache2 generated outgoing network traffic to: 172.64.200.11:443 |
Outgoing Connection |
Process /root/ifconfig scanned port 80 on 16 IP Addresses |
Port 1234 Scan Port 80 Scan |
Connection was closed due to user inactivity |
|
/etc/ifconfig |
SHA256: d98f35f48edbfa72c3b9ba05c154b6b6aa2422e097498e5a7401f4220dec2d1a |
1671168 bytes |