IP Address: 45.64.130.149Previously Malicious
IP Address: 45.64.130.149Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Download Operation System File Modification SSH Users and Groups Port 43 Scan Outgoing Connection Superuser Operation Successful SSH Login Access Suspicious Domain DNS Query |
Associated Attack Servers |
femboy.somebody.hk highpower.sg irc.siutao.tk irc.tung-shu.cf irc.wordgrab.com mircd.xiao.my.id.id sos.vivi.sg 10.0.13.153 10.0.141.111 10.0.254.107 10.0.254.110 10.2.64.115 10.2.67.232 10.2.67.235 10.10.1.186 10.10.118.71 10.15.82.63 10.76.5.110 10.186.47.177 10.192.7.43 10.192.7.60 10.192.7.152 45.64.128.99 45.64.130.150 58.64.188.35 60.208.58.40 91.189.88.142 91.189.91.38 103.65.194.50 112.65.206.11 114.35.102.34 118.96.173.26 122.9.36.85 150.223.22.6 159.138.85.160 168.62.178.160 |
IP Address |
45.64.130.149 |
|
Domain |
- |
|
ISP |
Sparkstation Pte |
|
Country |
Singapore |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-08-08 |
Last seen in Akamai Guardicore Segmentation |
2022-10-03 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ******** - Authentication policy: White List (Part of a Brute Force Attempt) |
SSH Brute Force Successful SSH Login |
System file /etc/sudoers was modified |
System File Modification |
A possibly malicious Download Operation was detected |
Download Operation Superuser Operation |
A possibly malicious Superuser Operation was detected |
Download Operation Superuser Operation |
System file /etc/passwd.200 was modified 16 times |
System File Modification |
System file /etc/passwd- was modified 9 times |
System File Modification |
Process /usr/bin/wget attempted to access suspicious domains: sos.vivi.sg |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 45.64.128.99:80 |
Outgoing Connection |
Process /usr/bin/perl attempted to access suspicious domains: irc.tung-shu.cf and sgwebserver.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /bin/bash attempted to access suspicious domains: sos.vivi.sg |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/perl generated outgoing network traffic to: 10.0.141.111:20, 10.15.82.63:20, 10.2.67.235:20 and 45.64.130.149:20 |
Outgoing Connection |
Process /bin/bash generated outgoing network traffic to: 45.64.128.99:80 |
Outgoing Connection |
The file /tmp/o was downloaded and granted execution privileges |
|
Process /tmp/x attempted to access suspicious domains: mircd.hokkien.my.id and mircd.xiao.my.id.id |
DNS Query Access Suspicious Domain |
Process /tmp/o attempted to access suspicious domains: mircd.hokkien.my.id, mircd.xiao.my.id and mircd.xiao.my.id.id |
DNS Query Access Suspicious Domain |
Process /usr/bin/wget attempted to access suspicious domains: sos.vivi.sg |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /tmp/x generated outgoing network traffic to: 10.0.141.111:43, 10.10.118.71:43, 10.186.47.177:43, 10.192.7.60:43, 10.76.5.110:43, 150.223.22.6:43, 172.16.0.48:43, 172.16.70.55:43, 185.181.164.131:43, 207.58.186.35:43, 207.58.188.115:43 and 64.131.81.98:43 |
|
Process /tmp/o scanned port 43 on 16 IP Addresses |
Port 43 Scan |
Process /tmp/x scanned port 43 on 16 IP Addresses |
Port 43 Scan |
Process /usr/bin/wget generated outgoing network traffic to: 45.64.128.99:80 |
Outgoing Connection |
Process /tmp/o generated outgoing network traffic to: 10.0.141.111:43, 10.10.118.71:43, 10.186.47.177:43, 10.192.7.60:43, 10.76.5.110:43, 150.223.22.6:43, 185.181.164.131:43, 192.162.252.27:43, 192.168.8.21:43, 192.168.8.254:43, 199.115.114.193:43, 207.58.186.35:43, 207.58.188.115:43 and 64.131.81.98:43 |
|
Connection was closed due to timeout |
|
/root/pki.tgz |
SHA256: 73e1d0bfc648a6f38a3ec1b48fae8c1c037fd204397d20738114cb24b8ce6582 |
6410561 bytes |
/var/tmp/ /.bash/h64 |
SHA256: 7fe9d6d8b9390020862ca7dc9e69c1e2b676db5898e4bfad51d66250e9af3eaf |
838583 bytes |