IP Address: 38.75.229.170Previously Malicious
IP Address: 38.75.229.170Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
btcentralplus.com cloudhost.asia cultimording.org.uk gvt.net.br ip-54-38-175.eu jaguar-network.net online.tj.cn t-com.ne.jp ziggozakelijk.nl 5.245.49.15 9.163.176.219 13.66.15.9 31.244.78.253 35.170.191.119 37.163.250.142 41.228.22.107 42.127.194.172 44.229.232.174 47.37.138.79 49.45.54.69 54.38.175.232 57.33.27.22 57.215.210.184 60.232.228.129 61.106.11.40 73.78.102.241 79.23.251.165 81.70.92.205 81.70.147.119 81.79.150.26 81.153.198.79 82.156.210.15 82.157.166.102 86.203.236.107 89.121.228.38 93.170.92.72 97.139.98.174 101.33.203.161 |
IP Address |
38.75.229.170 |
|
Domain |
- |
|
ISP |
Aerux Broadband |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-20 |
Last seen in Akamai Guardicore Segmentation |
2022-05-15 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 2 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 207 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 100.121.157.231:80, 100.121.157.231:8080, 101.42.109.172:1234, 103.111.211.61:1234, 113.132.30.65:2222, 122.200.219.110:80, 122.200.219.110:8080, 128.158.97.225:2222, 132.95.88.29:80, 132.95.88.29:8080, 138.135.213.158:80, 138.135.213.158:8080, 138.183.105.187:80, 138.183.105.187:8080, 140.143.140.52:22, 141.75.54.65:80, 141.75.54.65:8080, 143.18.152.70:2222, 150.133.14.178:80, 150.133.14.178:8080, 152.57.159.108:22, 159.44.203.179:80, 159.44.203.179:8080, 162.4.107.230:80, 162.4.107.230:8080, 167.42.105.12:80, 167.42.105.12:8080, 173.98.104.117:2222, 179.236.91.237:2222, 18.248.57.142:80, 18.248.57.142:8080, 18.98.134.119:80, 18.98.134.119:8080, 180.109.164.131:1234, 181.244.52.93:22, 186.171.25.186:22, 190.60.239.44:1234, 192.186.42.239:80, 192.186.42.239:8080, 194.60.96.22:80, 194.60.96.22:8080, 205.72.247.203:80, 205.72.247.203:8080, 206.240.3.107:22, 207.248.107.215:2222, 212.96.10.127:2222, 219.15.233.141:2222, 221.168.52.85:80, 221.168.52.85:8080, 246.108.11.242:80, 246.108.11.242:8080, 25.8.230.73:80, 25.8.230.73:8080, 34.55.156.200:80, 34.55.156.200:8080, 36.189.143.104:80, 36.189.143.104:8080, 4.188.24.154:2222, 44.199.96.159:80, 44.199.96.159:8080, 44.210.23.54:80, 44.210.23.54:8080, 50.64.135.91:80, 50.64.135.91:8080, 61.74.76.187:80, 61.74.76.187:8080, 62.109.179.245:80, 62.109.179.245:8080, 62.22.170.157:22, 74.135.145.238:2222, 77.176.147.138:2222, 82.156.179.219:1234, 82.249.6.210:2222, 88.138.228.180:80, 88.138.228.180:8080, 88.140.57.100:80, 88.140.57.100:8080, 89.115.164.232:80, 89.115.164.232:8080, 89.121.228.38:1234, 91.39.44.69:80, 91.39.44.69:8080, 95.120.155.177:80, 95.120.155.177:8080, 95.46.61.143:80, 95.46.61.143:8080, 96.31.183.219:80 and 96.31.183.219:8080 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8083 and 8180 |
Listening |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 80 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 attempted to access suspicious domains: melexa.com |
Access Suspicious Domain Outgoing Connection |
Process /tmp/apache2 scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 8080 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/apache2 scanned port 2222 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 21 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 18 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 22 times |
Download and Execute |
Connection was closed due to timeout |
|