IP Address: 3.145.189.99Previously Malicious
IP Address: 3.145.189.99Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 1234 Scan 8 Shell Commands SSH Listening SCP Port 80 Scan Port 8080 Scan Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute Download File Outgoing Connection |
Associated Attack Servers |
IP Address |
3.145.189.99 |
|
Domain |
- |
|
ISP |
Amazon.com |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-08-17 |
Last seen in Akamai Guardicore Segmentation |
2022-09-15 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 9 times |
Successful SSH Login |
/tmp/ifconfig was downloaded |
Download File |
./ifconfig was downloaded |
Download File |
/var/tmp/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 96 times |
Download and Execute |
Process /root/apache2 scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 1234 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /root/apache2 generated outgoing network traffic to: 1.1.1.1:443, 1.220.98.197:1234, 101.140.251.122:80, 101.140.251.122:8080, 103.15.195.227:80, 103.15.195.227:8080, 103.54.53.33:80, 103.54.53.33:8080, 108.234.87.134:80, 117.38.142.37:80, 117.38.142.37:8080, 120.224.34.31:1234, 120.236.78.194:1234, 120.31.133.162:1234, 123.132.238.210:1234, 124.223.14.100:1234, 139.26.85.85:80, 139.26.85.85:8080, 142.250.190.68:443, 154.162.186.248:80, 154.162.186.248:8080, 156.171.191.27:80, 156.171.191.27:8080, 161.107.113.34:1234, 161.73.200.19:80, 161.73.200.19:8080, 172.67.133.228:443, 176.146.202.70:80, 182.224.177.56:1234, 183.213.26.13:1234, 185.210.144.122:1234, 190.60.239.44:1234, 191.242.188.103:1234, 194.223.73.17:80, 194.223.73.17:8080, 196.238.91.233:80, 196.238.91.233:8080, 197.117.142.237:80, 204.150.112.235:80, 204.150.112.235:8080, 205.173.249.136:80, 205.173.249.136:8080, 206.189.25.255:1234, 207.140.145.90:80, 207.140.145.90:8080, 212.57.36.20:1234, 220.125.42.174:80, 220.125.42.174:8080, 220.243.148.80:1234, 222.103.98.58:1234, 223.171.91.127:1234, 223.171.91.191:1234, 241.253.58.214:80, 241.253.58.214:8080, 242.208.199.11:80, 242.208.199.11:8080, 242.82.245.13:80, 242.82.245.13:8080, 25.227.222.41:80, 25.227.222.41:8080, 29.104.162.221:80, 29.104.162.221:8080, 39.175.68.100:1234, 42.179.124.229:80, 42.179.124.229:8080, 49.106.30.78:80, 49.106.30.78:8080, 50.92.137.190:80, 50.92.137.190:8080, 51.75.146.174:443, 54.209.34.14:80, 54.209.34.14:8080, 60.168.41.210:80, 60.168.41.210:8080, 61.84.162.66:1234, 65.43.45.93:80, 65.43.45.93:8080, 76.158.202.118:80, 77.130.47.200:80, 8.8.4.4:443, 8.8.8.8:443, 80.99.94.173:80, 80.99.94.173:8080, 82.149.112.170:1234, 82.66.5.84:1234, 85.105.82.39:1234, 93.176.229.145:1234, 98.12.76.66:80 and 98.12.76.66:8080 |
Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8088 and 8180 |
Listening |
Process /root/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 80 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /usr/bin/uptime was downloaded and executed 2 times |
Download and Execute |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 003fc3b1c6259d744b011cde32a47e8cb0b00708ebec1465839b9c14279bc70b |
262144 bytes |
/var/tmp/ifconfig |
SHA256: 1a44fca7624fff41bb0115d35ece06c6b145c23503b4e50eddc373c148b94a1d |
720896 bytes |
/var/tmp/ifconfig |
SHA256: 1b40245f21f1cb845b7fdf2428315166a8b1d8d5e1e42cd290cd8e479ed61ad7 |
2129920 bytes |
/var/tmp/ifconfig |
SHA256: 2aacc3f6c14a2bd120ce9f7cab7af1f4d3e207bea33d56f02a14f75613a7930c |
786432 bytes |
/var/tmp/ifconfig |
SHA256: 331f1ead3df8fed58ccf68da781f34b2f228a5c37f3bb245b836a4b49b1cf269 |
557056 bytes |
/var/tmp/ifconfig |
SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05 |
655360 bytes |
/var/tmp/ifconfig |
SHA256: 550307921085269ac7b53b3492fbffd8dc7bb9deaee1b26d433b3ebb40282384 |
2195456 bytes |
/root/ifconfig |
SHA256: 60cc0b454c5174dc5ec389859f0890a7ac0733c005f894083585a4274b71de5b |
2719744 bytes |