IP Address: 39.79.139.14Previously Malicious
IP Address: 39.79.139.14Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
11.245.112.144 18.120.211.180 20.141.185.205 47.112.205.162 54.135.108.171 63.144.55.39 64.61.84.103 65.170.112.184 66.90.110.58 78.92.170.193 87.70.163.222 125.77.90.28 136.172.84.213 142.8.193.170 161.143.20.55 166.213.173.13 183.226.153.69 194.129.105.188 195.90.209.86 220.243.148.8 246.222.131.68 248.141.196.38 |
IP Address |
39.79.139.14 |
|
Domain |
- |
|
ISP |
China Unicom Shandong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-28 |
Last seen in Akamai Guardicore Segmentation |
2022-03-29 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 100.26.18.81:80, 100.26.18.81:8080, 104.16.174.191:80, 104.16.174.191:8080, 104.21.25.86:443, 104.57.149.48:80, 104.57.149.48:8080, 11.245.112.144:22, 116.12.69.8:80, 116.12.69.8:8080, 12.224.242.101:80, 12.224.242.101:8080, 124.104.38.116:80, 124.104.38.116:8080, 125.77.90.28:1234, 136.172.84.213:2222, 142.51.76.225:80, 142.51.76.225:8080, 142.8.193.170:22, 143.174.38.64:80, 143.174.38.64:8080, 144.42.122.142:80, 144.42.122.142:8080, 151.207.83.177:80, 151.207.83.177:8080, 154.240.253.171:80, 154.240.253.171:8080, 161.143.20.55:22, 166.213.173.13:2222, 17.237.81.100:80, 17.237.81.100:8080, 172.67.133.228:443, 18.120.211.180:22, 183.226.153.69:2222, 194.129.105.188:22, 195.90.209.86:1234, 198.246.75.159:80, 198.246.75.159:8080, 2.67.222.168:80, 2.67.222.168:8080, 20.141.185.205:1234, 200.38.46.209:80, 200.38.46.209:8080, 200.69.137.167:80, 200.69.137.167:8080, 220.176.251.128:80, 220.176.251.128:8080, 220.243.148.8:1234, 241.31.16.22:80, 241.31.16.22:8080, 246.222.131.68:2222, 247.211.50.149:80, 247.211.50.149:8080, 248.141.196.38:22, 248.142.174.111:80, 248.142.174.111:8080, 253.180.226.9:80, 253.180.226.9:8080, 35.176.131.193:80, 35.176.131.193:8080, 39.100.155.92:80, 39.100.155.92:8080, 47.112.205.162:1234, 49.205.6.55:80, 49.205.6.55:8080, 51.75.146.174:443, 54.135.108.171:2222, 54.53.139.162:80, 54.53.139.162:8080, 58.26.161.152:80, 58.26.161.152:8080, 63.144.55.39:2222, 64.61.84.103:22, 65.170.112.184:2222, 66.90.110.58:1234, 67.110.15.38:80, 67.110.15.38:8080, 69.165.197.201:80, 69.165.197.201:8080, 72.40.69.71:80, 72.40.69.71:8080, 78.92.170.193:1234, 85.162.234.167:80, 85.162.234.167:8080, 87.70.163.222:2222, 92.247.146.33:80, 92.247.146.33:8080, 96.207.205.213:80 and 96.207.205.213:8080 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8088 and 8181 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 attempted to access suspicious domains: 1blu.de, broadviewnet.net and mycingular.net |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|