IP Address: 5.9.153.40Previously Malicious
IP Address: 5.9.153.40Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
12.231.219.104 26.222.1.37 31.19.237.170 42.231.30.8 42.231.63.152 47.54.141.185 47.58.64.238 56.118.47.237 83.224.155.27 84.92.232.65 103.79.152.66 108.178.43.80 117.50.179.58 130.173.177.34 134.65.125.190 163.158.135.20 163.220.16.85 164.189.232.103 192.222.122.16 210.221.227.95 214.105.226.141 223.171.91.155 244.187.109.28 |
IP Address |
5.9.153.40 |
|
Domain |
- |
|
ISP |
Hetzner Online GmbH |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-07 |
Last seen in Akamai Guardicore Segmentation |
2022-04-08 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 103.227.104.29:80, 103.227.104.29:8080, 104.21.25.86:443, 108.178.43.80:2222, 111.113.55.21:80, 111.113.55.21:8080, 113.181.82.77:80, 113.181.82.77:8080, 117.50.179.58:1234, 12.231.219.104:22, 128.166.106.39:80, 128.166.106.39:8080, 130.173.177.34:22, 134.65.125.190:22, 14.210.253.61:80, 14.210.253.61:8080, 140.215.82.150:80, 140.215.82.150:8080, 151.192.251.128:80, 151.192.251.128:8080, 163.158.135.20:2222, 163.220.16.85:2222, 164.189.232.103:22, 168.155.116.133:80, 168.155.116.133:8080, 172.67.133.228:443, 175.153.83.75:80, 175.153.83.75:8080, 184.160.183.98:80, 184.160.183.98:8080, 192.222.122.16:2222, 202.94.94.51:80, 202.94.94.51:8080, 210.221.227.95:2222, 212.190.78.247:80, 212.190.78.247:8080, 214.105.226.141:22, 214.238.24.16:80, 214.238.24.16:8080, 215.200.136.74:80, 215.200.136.74:8080, 223.171.91.155:1234, 244.187.109.28:22, 251.217.133.214:80, 251.217.133.214:8080, 253.165.103.155:80, 253.165.103.155:8080, 26.222.1.37:22, 31.19.237.170:1234, 32.140.241.29:80, 32.140.241.29:8080, 33.152.69.169:80, 33.152.69.169:8080, 42.231.30.8:1234, 42.231.63.152:1234, 43.211.118.93:80, 43.211.118.93:8080, 45.26.177.123:80, 45.26.177.123:8080, 47.54.141.185:22, 47.58.64.238:2222, 50.41.148.198:80, 50.41.148.198:8080, 51.115.142.107:80, 51.115.142.107:8080, 51.75.146.174:443, 52.177.50.79:80, 52.177.50.79:8080, 56.118.47.237:2222, 63.18.30.82:80, 63.18.30.82:8080, 68.203.26.244:80, 68.203.26.244:8080, 7.60.158.193:80, 7.60.158.193:8080, 73.35.241.253:80, 73.35.241.253:8080, 77.124.182.150:80, 77.124.182.150:8080, 81.109.144.119:80, 81.109.144.119:8080, 83.224.155.27:1234, 84.92.232.65:2222, 85.215.155.151:80, 85.215.155.151:8080, 88.226.47.205:80, 88.226.47.205:8080, 92.96.96.62:80 and 92.96.96.62:8080 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8083 and 8182 |
Listening |
Process /dev/shm/apache2 attempted to access suspicious domains: adsl, airtel.net, caiway.nl, kabel-deutschland.de, kj4l3yh8.cn, pndsl.co.uk and singlehop.net |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|