IP Address: 39.175.68.100Previously Malicious
IP Address: 39.175.68.100Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection Access Suspicious Domain Listening |
Associated Attack Servers |
1.1.1.1 8.8.8.8 51.75.146.174 75.97.44.172 104.21.25.86 110.42.189.172 113.118.24.168 150.107.95.20 190.12.120.30 |
IP Address |
39.175.68.100 |
|
Domain |
- |
|
ISP |
China Mobile Guangdong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-05 |
Last seen in Akamai Guardicore Segmentation |
2022-10-05 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 103.89.110.55:80, 104.21.25.86:443, 104.233.208.66:80, 104.233.208.66:8080, 110.42.189.172:1234, 113.118.24.168:1234, 116.239.148.135:80, 130.54.109.110:80, 141.50.98.76:80, 142.251.32.4:443, 166.237.232.174:80, 171.221.77.152:80, 173.184.162.35:80, 173.184.162.35:8080, 180.137.33.26:80, 184.120.213.218:80, 184.159.221.66:80, 184.159.221.66:8080, 190.12.120.30:1234, 200.1.130.171:80, 200.1.130.171:8080, 200.5.213.18:80, 201.229.101.44:80, 201.229.101.44:8080, 210.204.120.235:80, 210.204.120.235:8080, 215.83.114.59:80, 220.223.162.110:80, 220.223.162.110:8080, 244.177.245.113:80, 26.59.197.85:80, 26.59.197.85:8080, 35.247.191.185:80, 39.175.68.100:1234, 4.101.84.8:80, 42.39.12.3:80, 42.39.12.3:8080, 43.127.236.113:80, 44.183.231.76:80, 51.75.146.174:443, 52.131.148.229:80, 52.131.148.229:8080, 54.32.245.194:80, 54.32.245.194:8080, 62.47.87.201:80, 65.30.122.202:80, 71.57.124.62:80, 71.57.124.62:8080, 75.17.165.83:80, 75.17.165.83:8080, 75.27.54.36:80, 75.27.54.36:8080, 75.97.44.172:1234, 75.97.44.172:22, 8.8.8.8:443, 89.153.48.25:80 and 89.153.48.25:8080 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8082 and 8183 |
Listening |
Process /dev/shm/ifconfig attempted to access suspicious domains: cps.com.ar and ptd.net |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/php-fpm generated outgoing network traffic to: 75.97.44.172:22 |
Outgoing Connection |
Process /dev/shm/php-fpm attempted to access suspicious domains: ptd.net |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 15 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 15 IP Addresses |
Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|