IP Address: 45.61.162.173Previously Malicious
IP Address: 45.61.162.173Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation Successful SSH Login Download and Execute Download and Allow Execution |
Associated Attack Servers |
btcentralplus.com mchsi.com servpac.com 26.140.119.17 30.38.204.216 36.69.131.107 39.99.60.12 52.131.32.110 82.156.217.40 86.133.233.66 94.51.164.233 94.183.159.75 101.42.109.172 107.167.150.198 107.182.190.58 123.132.238.210 173.17.236.75 202.90.131.39 |
IP Address |
45.61.162.173 |
|
Domain |
- |
|
ISP |
FranTech Solutions |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-04 |
Last seen in Akamai Guardicore Segmentation |
2022-04-23 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 4 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 201 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 100.207.13.57:80, 100.207.13.57:8080, 101.43.3.32:1234, 101.43.53.20:1234, 101.80.224.17:1234, 104.21.25.86:443, 105.52.237.216:80, 105.52.237.216:8080, 109.85.56.4:2222, 114.208.167.122:80, 114.208.167.122:8080, 118.86.60.127:80, 118.86.60.127:8080, 119.233.199.51:80, 119.233.199.51:8080, 119.91.91.82:1234, 125.17.115.94:1234, 139.55.225.109:80, 139.55.225.109:8080, 146.86.126.200:80, 146.86.126.200:8080, 148.136.58.88:2222, 149.7.246.27:2222, 154.238.253.88:80, 154.238.253.88:8080, 164.58.71.16:80, 164.58.71.16:8080, 165.232.88.58:1234, 166.150.245.27:80, 166.150.245.27:8080, 172.116.208.197:80, 172.116.208.197:8080, 172.67.133.228:443, 175.119.200.223:22, 185.20.26.150:80, 185.20.26.150:8080, 187.103.240.31:1234, 190.187.28.96:80, 190.187.28.96:8080, 194.6.106.84:80, 194.6.106.84:8080, 206.166.149.180:22, 21.181.211.165:80, 21.181.211.165:8080, 217.114.249.231:2222, 217.178.114.139:2222, 23.93.127.120:80, 23.93.127.120:8080, 240.20.93.132:80, 240.20.93.132:8080, 240.225.124.161:80, 240.225.124.161:8080, 26.127.76.71:80, 26.127.76.71:8080, 3.43.240.129:22, 33.153.169.199:2222, 36.152.50.81:2222, 37.116.158.204:80, 37.116.158.204:8080, 37.143.138.45:80, 37.143.138.45:8080, 40.240.64.33:80, 40.240.64.33:8080, 41.161.197.106:80, 41.161.197.106:8080, 44.24.44.62:2222, 49.28.137.4:80, 49.28.137.4:8080, 51.75.146.174:443, 55.33.40.165:2222, 58.208.88.20:2222, 64.187.204.61:80, 64.187.204.61:8080, 68.244.129.137:80, 68.244.129.137:8080, 70.3.176.60:2222, 71.157.160.37:80, 71.157.160.37:8080, 74.12.2.212:80, 74.12.2.212:8080, 75.4.121.218:80, 75.4.121.218:8080, 8.245.4.219:80, 8.245.4.219:8080, 87.132.42.51:80, 87.132.42.51:8080, 88.39.210.162:80, 88.39.210.162:8080 and 9.5.200.205:2222 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8084 and 8184 |
Listening |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 80 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 2222 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 2222 on 12 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig attempted to access suspicious domains: adyl.net.br |
Access Suspicious Domain Outgoing Connection |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and granted execution privileges |
|
The file /tmp/php-fpm was downloaded and executed 12 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 27 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 4 times |
Download and Execute |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 18 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 8 times |
Download and Execute |
Connection was closed due to timeout |
|