IP Address: 47.122.44.42Malicious
IP Address: 47.122.44.42Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SSH |
Tags |
Access Suspicious Domain Service Restart Outgoing Connection Listening Executable File Modification Download and Allow Execution Successful SSH Login SSH New SSH Key Scheduled Task Creation Read Password Secrets System File Modification Download and Execute |
Associated Attack Servers |
amazonaws.com net-bit.ru vps-default-host.net vps-kinghost.net 5.252.22.94 8.222.172.255 13.251.154.125 31.130.90.246 36.7.171.21 43.155.163.36 43.155.183.210 45.142.32.238 45.159.209.15 47.109.108.202 47.122.43.15 47.242.248.2 62.72.0.137 67.205.134.66 103.9.134.247 103.45.248.220 103.219.60.213 111.231.108.45 117.68.119.132 120.27.194.53 130.193.55.111 147.182.201.74 164.92.104.70 185.233.36.161 191.252.210.233 207.174.22.224 |
IP Address |
47.122.44.42 |
|
Domain |
- |
|
ISP |
- |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2023-09-10 |
Last seen in Akamai Guardicore Segmentation |
2023-09-10 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/bash generated outgoing network traffic to: 45.142.32.238:60119 |
Outgoing Connection |
System file /etc/crontab was modified 9 times |
System File Modification |
Executable file /usr/bin/wgbtx was modified |
Executable File Modification |
System file /etc/nshadow was modified 36 times |
System File Modification |
The file /tmp/SRlKYWHSia was downloaded and executed 15 times |
Download and Execute |
Process /tmp/SRlKYWHSia started listening on ports: 60131 |
Listening |
System file /etc/ssh/sshd_config was modified 4 times |
System File Modification |
Process /tmp/SRlKYWHSia generated outgoing network traffic to: 103.219.60.213:60104, 103.45.248.220:60147, 111.231.108.45:60149, 117.68.119.132:60143, 120.27.194.53:60142, 13.251.154.125:60135, 130.193.55.111:60109, 147.182.201.74:60143, 164.92.104.70:60130, 185.233.36.161:60122, 191.252.210.233:60126, 207.174.22.224:60119, 31.130.90.246:60118, 36.7.171.21:60143, 43.155.163.36:60111, 43.155.183.210:60111, 45.142.32.238:60119, 45.159.209.15:60133, 47.109.108.202:60110, 47.122.43.15:60135, 47.122.44.42:60127, 47.242.248.2:60112, 5.252.22.94:60132, 62.72.0.137:60106, 67.205.134.66:60130 and 8.222.172.255:60117 |
Outgoing Connection |
Process /tmp/SRlKYWHSia attempted to access suspicious domains: net-bit.ru, vps-default-host.net and vps-kinghost.net |
Access Suspicious Domain Outgoing Connection |
Process /usr/sbin/sshd started listening on ports: 22 |
Listening |
The file /tmp/bash was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|
An attempt to download /root/.ssh/authorized_keys was made |
New SSH Key |
/tmp/bash |
SHA256: 0af780b7193429c0397f47668862100a0a0b4e5de5b3515c4557685ab26e69bd |
558904 bytes |
/tmp/xoNfvkIxS5 |
SHA256: 976e3772ffea7499f7c119e956a5a71806f8f054caf174978fa888b254dd22a0 |
1458464 bytes |