IP Address: 42.231.29.210Previously Malicious
IP Address: 42.231.29.210Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection Access Suspicious Domain Listening |
Associated Attack Servers |
attdns.com regruhosting.ru telmex.net.ar 9.52.194.20 28.100.2.229 36.77.229.184 58.221.44.158 79.93.142.72 119.146.3.180 120.131.63.148 124.223.72.11 128.196.14.159 134.53.188.125 134.209.32.120 135.40.124.17 153.147.77.230 155.128.211.127 155.164.16.246 163.207.91.230 175.98.45.240 178.245.198.25 186.122.173.207 194.67.121.113 205.175.131.102 220.209.59.192 |
IP Address |
42.231.29.210 |
|
Domain |
- |
|
ISP |
China Unicom Liaoning |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-24 |
Last seen in Akamai Guardicore Segmentation |
2022-03-26 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 101.248.187.30:80, 101.248.187.30:8080, 103.105.12.48:1234, 104.21.25.86:443, 11.9.28.169:80, 11.9.28.169:8080, 117.161.5.14:80, 117.161.5.14:8080, 119.146.3.180:22, 119.91.126.29:80, 119.91.126.29:8080, 120.131.63.148:2222, 124.223.72.11:1234, 128.196.14.159:2222, 131.6.208.192:80, 131.6.208.192:8080, 134.209.32.120:1234, 134.53.188.125:2222, 135.40.124.17:22, 137.191.219.26:80, 137.191.219.26:8080, 144.151.232.195:80, 144.151.232.195:8080, 149.135.213.11:80, 149.135.213.11:8080, 149.68.168.44:80, 149.68.168.44:8080, 153.147.77.230:2222, 153.216.237.251:80, 153.216.237.251:8080, 155.128.211.127:22, 155.164.16.246:22, 156.102.6.197:80, 156.102.6.197:8080, 163.207.91.230:22, 164.68.61.196:80, 164.68.61.196:8080, 169.219.143.204:80, 169.219.143.204:8080, 171.150.75.128:80, 171.150.75.128:8080, 172.67.133.228:443, 173.3.120.196:80, 173.3.120.196:8080, 175.98.45.240:1234, 178.245.198.25:1234, 186.122.173.207:22, 194.67.121.113:1234, 194.99.235.208:80, 194.99.235.208:8080, 205.175.131.102:22, 207.22.110.181:80, 207.22.110.181:8080, 212.109.228.102:80, 212.109.228.102:8080, 213.224.97.118:80, 213.224.97.118:8080, 214.229.53.122:80, 214.229.53.122:8080, 215.151.15.6:80, 215.151.15.6:8080, 220.209.59.192:2222, 240.115.237.180:80, 240.115.237.180:8080, 245.58.55.67:80, 245.58.55.67:8080, 248.21.20.110:80, 248.21.20.110:8080, 28.100.2.229:2222, 36.77.229.184:2222, 47.187.164.203:80, 47.187.164.203:8080, 48.164.73.14:80, 48.164.73.14:8080, 51.75.146.174:443, 57.41.246.56:80, 57.41.246.56:8080, 59.66.240.101:80, 59.66.240.101:8080, 72.4.189.144:80, 72.4.189.144:8080, 79.140.28.163:80, 79.140.28.163:8080, 79.93.142.72:2222, 8.247.179.162:80, 8.247.179.162:8080, 85.239.92.237:80, 85.239.92.237:8080 and 9.52.194.20:22 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8080 and 8189 |
Listening |
Process /dev/shm/ifconfig attempted to access suspicious domains: attdns.com, h205175131102, sfr.net, telmex.net.ar and tfn.net.tw |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|