IP Address: 42.231.28.32Previously Malicious
IP Address: 42.231.28.32Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Port 2222 Scan Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
accentric.net gvt.net.br pkje32x1.cn 3.91.21.110 3.133.124.243 4.34.57.102 4.163.250.213 36.84.63.238 41.228.22.107 47.93.228.251 59.61.122.240 75.69.15.70 81.70.44.138 82.200.244.154 83.224.155.27 90.32.52.229 114.99.148.247 116.116.240.4 117.50.179.61 117.190.110.118 124.223.72.11 131.5.95.224 149.168.251.194 150.27.84.216 152.136.145.180 191.249.236.85 195.162.180.82 209.132.69.17 |
IP Address |
42.231.28.32 |
|
Domain |
- |
|
ISP |
China Unicom Liaoning |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2018-11-04 |
Last seen in Akamai Guardicore Segmentation |
2022-03-30 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.193.6.233:80, 1.193.6.233:8080, 104.21.25.86:443, 110.99.56.18:80, 110.99.56.18:8080, 112.130.197.17:80, 112.130.197.17:8080, 114.177.215.72:80, 114.177.215.72:8080, 114.99.148.247:22, 116.116.240.4:22, 119.125.226.70:2222, 119.154.87.228:80, 119.154.87.228:8080, 119.8.232.60:80, 119.8.232.60:8080, 124.223.72.11:1234, 137.11.54.153:80, 137.11.54.153:8080, 140.54.199.180:80, 140.54.199.180:8080, 146.151.100.205:2222, 161.53.133.101:80, 161.53.133.101:8080, 163.204.144.151:80, 163.204.144.151:8080, 166.125.104.166:2222, 166.215.164.24:80, 166.215.164.24:8080, 167.52.104.145:80, 167.52.104.145:8080, 172.67.133.228:443, 175.252.194.174:80, 175.252.194.174:8080, 175.55.234.65:80, 175.55.234.65:8080, 176.3.165.6:2222, 182.194.68.154:80, 182.194.68.154:8080, 191.249.236.85:1234, 194.164.102.134:80, 194.164.102.134:8080, 195.162.180.82:1234, 2.123.172.97:80, 2.123.172.97:8080, 20.12.106.226:2222, 201.176.201.178:2222, 202.113.51.205:80, 202.113.51.205:8080, 204.16.138.216:80, 204.16.138.216:8080, 205.236.12.18:80, 205.236.12.18:8080, 207.103.6.249:80, 207.103.6.249:8080, 209.104.195.242:80, 209.104.195.242:8080, 21.205.82.201:80, 21.205.82.201:8080, 21.234.103.202:80, 21.234.103.202:8080, 21.237.13.74:80, 21.237.13.74:8080, 212.19.111.106:80, 212.19.111.106:8080, 215.21.241.28:2222, 244.85.6.162:2222, 28.172.35.172:80, 28.172.35.172:8080, 4.249.130.41:2222, 47.93.228.251:1234, 5.178.206.223:80, 5.178.206.223:8080, 51.75.146.174:443, 52.3.228.203:2222, 54.30.243.153:80, 54.30.243.153:8080, 55.116.44.24:80, 55.116.44.24:8080, 59.61.122.240:1234, 59.89.206.67:80, 59.89.206.67:8080, 62.47.166.169:80, 62.47.166.169:8080, 69.200.162.127:2222, 75.69.15.70:22, 81.70.44.138:1234, 83.224.155.27:1234 and 88.17.34.117:2222 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8085 and 8189 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 attempted to access suspicious domains: gvt.net.br |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|