IP Address: 31.18.172.43Previously Malicious
IP Address: 31.18.172.43Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 1234 Scan SSH Listening SCP Port 80 Scan Port 8080 Scan Superuser Operation 10 Shell Commands Successful SSH Login Download and Execute Download File Outgoing Connection |
Associated Attack Servers |
IP Address |
31.18.172.43 |
|
Domain |
- |
|
ISP |
Vodafone Kabel Deutschland |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-08-29 |
Last seen in Akamai Guardicore Segmentation |
2022-09-01 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/nc.openbsd scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 25 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 1234 on 18 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 80 on 25 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 25 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/sbin/sshd scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
Process /bin/nc.openbsd scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 11 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
/tmp/ifconfig was downloaded |
Download File |
./ifconfig was downloaded |
Download File |
/var/tmp/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 108 times |
Download and Execute |
Process /root/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.200.15.70:80, 101.42.90.177:1234, 104.21.25.86:443, 112.235.54.234:80, 117.16.44.111:1234, 117.54.14.169:1234, 118.218.209.149:1234, 120.224.34.31:1234, 120.236.78.194:1234, 124.115.231.214:1234, 124.223.14.100:1234, 124.223.14.100:22, 126.188.222.250:80, 126.188.222.250:8080, 138.14.218.201:80, 138.14.218.201:8080, 141.107.173.44:80, 143.25.197.81:80, 146.43.208.104:80, 146.43.208.104:8080, 153.189.57.48:80, 153.189.57.48:8080, 161.107.113.34:1234, 161.144.235.228:80, 161.144.235.228:8080, 162.24.59.112:80, 162.24.59.112:8080, 165.175.207.71:80, 172.217.4.36:443, 173.217.230.226:80, 173.217.230.226:8080, 177.24.190.244:80, 184.83.112.246:1234, 190.12.120.30:1234, 190.60.239.44:1234, 191.180.237.103:80, 191.180.237.103:8080, 205.5.33.161:80, 210.36.150.92:80, 210.36.150.92:8080, 211.162.184.120:1234, 220.243.148.80:1234, 222.100.124.62:1234, 222.121.63.87:1234, 222.134.240.91:1234, 223.171.91.127:1234, 223.171.91.160:1234, 241.67.178.253:80, 241.67.178.253:8080, 26.44.139.12:80, 27.202.244.197:80, 27.202.244.197:8080, 38.53.65.110:80, 38.53.65.110:8080, 4.58.248.36:80, 4.58.248.36:8080, 49.15.244.250:80, 49.15.244.250:8080, 49.233.159.222:1234, 51.75.146.174:443, 51.91.203.142:80, 56.26.53.187:80, 56.26.53.187:8080, 6.205.74.136:80, 60.162.8.239:80, 60.162.8.239:8080, 61.77.105.219:1234, 62.112.212.226:80, 62.112.212.226:8080, 63.154.94.245:80, 70.157.227.177:80, 8.8.8.8:443, 89.212.123.191:1234, 92.180.78.157:80, 92.180.78.157:8080, 92.235.195.215:80, 95.154.21.210:1234 and 95.97.65.247:80 |
Outgoing Connection |
Process /root/apache2 started listening on ports: 1234, 8088 and 8183 |
Listening |
Process /root/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 80 on 18 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/apache2 scanned port 8080 on 18 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 0714ec5521ae6a3a058ad379f0e65f8d512eda05239e9e72223a79b456e4362f |
1933312 bytes |
/var/tmp/ifconfig |
SHA256: 8e7cf70465391f66bc440eba9c30c73995725eaa95fe9f8ba9da6ecbe060c085 |
2424832 bytes |
/var/tmp/ifconfig |
SHA256: b3b7551f344bdc4021e89ae74961531531a7dedf23e7b2d0364e21d052271ae2 |
1114112 bytes |
/var/tmp/ifconfig |
SHA256: f28c1becc58c6ae5d449da0b0f68f4def9db80ba792ab4486a7177e0ecd62b74 |
851968 bytes |