IP Address: 5.167.52.54Previously Malicious
IP Address: 5.167.52.54Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login Port 8080 Scan 5 Shell Commands Listening SSH SCP Outgoing Connection Superuser Operation Port 80 Scan Download File Port 1234 Scan |
Associated Attack Servers |
IP Address |
5.167.52.54 |
|
Domain |
- |
|
ISP |
JSC ER-Telecom Holding |
|
Country |
Russian Federation |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-08-02 |
Last seen in Akamai Guardicore Segmentation |
2022-08-04 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /usr/sbin/sshd scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 25 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 25 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 25 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /bin/nc.openbsd scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
Process /usr/sbin/sshd scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.32.62.57:80, 1.32.62.57:8080, 103.90.177.102:1234, 104.21.25.86:443, 111.53.11.130:1234, 112.214.139.180:80, 117.54.14.169:1234, 117.80.212.33:1234, 118.143.163.142:80, 118.143.163.142:8080, 119.104.19.58:80, 119.104.19.58:8080, 124.115.231.214:1234, 132.104.151.52:80, 132.117.128.130:80, 132.117.128.130:8080, 134.108.173.14:80, 134.108.173.14:8080, 134.169.8.187:80, 134.169.8.187:8080, 137.153.146.219:80, 137.153.146.219:8080, 145.110.226.171:80, 145.110.226.171:8080, 147.182.233.56:1234, 149.10.205.153:80, 149.10.205.153:8080, 155.136.34.44:80, 155.136.34.44:8080, 160.181.136.35:80, 160.181.136.35:8080, 171.84.112.247:80, 171.84.112.247:8080, 172.217.2.36:443, 173.18.35.41:1234, 182.100.129.238:80, 183.213.26.13:1234, 185.210.144.122:1234, 190.60.239.44:1234, 191.216.101.82:80, 191.216.101.82:8080, 191.242.188.103:1234, 20.84.232.163:80, 20.84.232.163:8080, 209.216.177.238:1234, 211.162.184.120:1234, 212.57.36.20:1234, 222.165.136.99:1234, 223.99.166.104:1234, 245.223.169.62:80, 245.223.169.62:8080, 246.178.182.118:80, 246.178.182.118:8080, 246.3.189.20:80, 246.3.189.20:8080, 248.152.140.34:80, 248.152.140.34:8080, 25.76.237.145:80, 25.76.237.145:8080, 26.44.218.53:80, 26.44.218.53:8080, 30.181.186.180:80, 30.181.186.180:8080, 31.19.237.170:1234, 39.175.68.100:1234, 50.105.137.148:80, 50.105.137.148:8080, 51.159.19.47:1234, 51.75.146.174:443, 52.11.117.137:80, 52.131.32.110:1234, 60.35.208.79:80, 64.227.132.175:1234, 72.110.235.59:80, 72.110.235.59:8080, 8.8.8.8:443, 81.242.248.83:80, 81.242.248.83:8080, 91.102.174.140:80, 92.118.164.249:80, 92.118.164.249:8080, 93.176.229.145:1234, 94.142.153.226:80, 94.142.153.226:8080 and 95.154.21.210:1234 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8080 and 8189 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/local/mysql/bin/mysqld started listening on ports: 3306 2 times |
Listening |
Connection was closed due to timeout |
|