IP Address: 42.231.28.87Previously Malicious
IP Address: 42.231.28.87Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection Access Suspicious Domain Listening |
Associated Attack Servers |
drei.com ertelecom.ru mobistar.be mweb.co.za spcsdns.net 24.32.65.138 34.111.239.179 53.99.123.152 81.70.58.68 82.200.244.154 91.141.82.136 101.80.224.17 103.60.137.111 103.96.51.170 107.48.92.9 107.142.36.20 109.194.139.250 111.102.19.217 112.196.31.218 117.184.119.10 118.69.71.201 120.236.74.234 145.59.228.146 161.77.221.29 172.121.211.40 178.50.80.115 197.81.171.51 221.161.122.82 |
IP Address |
42.231.28.87 |
|
Domain |
- |
|
ISP |
China Unicom Liaoning |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2018-10-21 |
Last seen in Akamai Guardicore Segmentation |
2022-04-04 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.80.224.17:1234, 107.142.36.20:22, 107.48.92.9:22, 109.194.139.250:22, 111.102.19.217:80, 111.102.19.217:8080, 111.102.19.217:8090, 112.196.31.218:1234, 120.236.74.234:1234, 130.244.115.222:80, 130.244.115.222:8080, 136.110.136.117:80, 136.110.136.117:8080, 139.27.149.170:80, 139.27.149.170:8080, 142.250.191.228:443, 145.59.228.146:2222, 15.54.189.48:80, 15.54.189.48:8080, 15.91.90.253:80, 15.91.90.253:8080, 153.247.158.199:80, 153.247.158.199:8080, 161.35.36.168:80, 161.35.36.168:8080, 161.77.221.29:80, 161.77.221.29:8080, 161.77.221.29:8090, 162.197.245.227:80, 162.197.245.227:8080, 164.204.94.233:80, 164.204.94.233:8080, 169.138.177.36:80, 169.138.177.36:8080, 172.121.211.40:2222, 172.67.133.228:443, 174.151.26.172:80, 174.151.26.172:8080, 175.11.83.233:80, 175.11.83.233:8080, 178.50.80.115:22, 195.65.33.166:80, 195.65.33.166:8080, 197.81.171.51:22, 2.97.139.140:80, 2.97.139.140:8080, 204.160.209.48:80, 204.160.209.48:8080, 21.35.109.230:80, 21.35.109.230:8080, 220.244.98.50:80, 220.244.98.50:8080, 221.161.122.82:1234, 24.32.65.138:1234, 243.163.150.8:80, 243.163.150.8:8080, 243.75.237.2:80, 243.75.237.2:8080, 249.34.36.69:80, 249.34.36.69:8080, 32.1.25.71:80, 32.1.25.71:8080, 33.144.46.226:80, 33.144.46.226:8080, 34.111.239.179:80, 34.111.239.179:8080, 34.111.239.179:8090, 51.75.146.174:443, 53.99.123.152:2222, 55.107.210.73:80, 55.107.210.73:8080, 62.171.165.238:80, 62.171.165.238:8080, 71.88.189.14:80, 71.88.189.14:8080, 8.8.4.4:443, 8.8.8.8:443, 81.70.58.68:1234, 82.200.244.154:1234, 82.90.202.60:80, 82.90.202.60:8080, 91.128.124.139:80, 91.128.124.139:8080, 91.141.82.136:22, 94.9.183.161:80, 94.9.183.161:8080, 95.214.51.44:80 and 95.214.51.44:8080 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8085 and 8182 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 attempted to access suspicious domains: drei.com, googleusercontent.com, sbcglobal.net, spcsdns.net and wxshuangqiang.com |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to timeout |
|