IP Address: 51.250.48.28Previously Malicious
IP Address: 51.250.48.28Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
31.39.246.235 46.87.228.206 88.204.242.54 101.35.138.55 107.175.215.247 111.184.44.162 113.176.83.159 116.35.23.186 122.14.209.181 139.99.23.200 180.2.148.236 184.83.112.246 200.73.90.194 217.23.158.174 220.177.91.1 251.29.115.243 |
IP Address |
51.250.48.28 |
|
Domain |
- |
|
ISP |
Zen Internet Ltd |
|
Country |
United Kingdom |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-03 |
Last seen in Akamai Guardicore Segmentation |
2022-04-08 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /var/tmp/ifconfig was downloaded and executed |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 209 times |
Download and Execute |
Process /var/tmp/apache2 generated outgoing network traffic to: 104.21.25.86:443, 11.235.142.167:80, 11.235.142.167:8080, 112.145.60.77:80, 112.145.60.77:8080, 112.77.188.138:80, 112.77.188.138:8080, 113.17.169.186:80, 113.17.169.186:8080, 115.160.52.204:22, 118.17.67.143:80, 118.17.67.143:8080, 119.112.121.114:22, 120.136.134.153:1234, 123.13.157.67:1234, 123.243.195.3:80, 123.243.195.3:8080, 124.73.35.128:80, 124.73.35.128:8080, 125.66.244.51:80, 125.66.244.51:8080, 13.206.106.209:80, 13.206.106.209:8080, 131.162.160.242:80, 131.162.160.242:8080, 132.48.207.179:80, 132.48.207.179:8080, 153.126.4.192:80, 153.126.4.192:8080, 155.221.241.185:80, 155.221.241.185:8080, 155.93.185.229:22, 171.199.220.81:80, 171.199.220.81:8080, 171.73.116.50:2222, 172.67.133.228:443, 18.141.150.24:2222, 183.213.223.223:2222, 184.248.247.11:80, 184.248.247.11:8080, 189.129.32.61:2222, 193.38.40.109:80, 193.38.40.109:8080, 195.234.160.154:80, 195.234.160.154:8080, 2.68.94.69:22, 2.71.130.106:80, 2.71.130.106:8080, 207.127.87.247:2222, 209.17.70.244:22, 209.251.220.167:80, 209.251.220.167:8080, 22.211.240.247:22, 221.122.176.163:2222, 223.171.79.11:1234, 24.127.49.180:80, 24.127.49.180:8080, 245.160.233.130:80, 245.160.233.130:8080, 246.134.82.72:22, 249.250.113.84:80, 249.250.113.84:8080, 250.55.231.155:80, 250.55.231.155:8080, 253.84.40.17:80, 253.84.40.17:8080, 27.1.241.61:80, 27.1.241.61:8080, 43.111.144.107:80, 43.111.144.107:8080, 47.118.245.24:80, 47.118.245.24:8080, 5.161.42.72:1234, 51.75.146.174:443, 62.51.134.92:2222, 68.115.40.33:80, 68.115.40.33:8080, 70.176.38.39:80, 70.176.38.39:8080, 75.97.44.172:1234, 80.86.21.114:2222, 81.10.163.162:80, 81.10.163.162:8080, 84.119.69.107:1234, 87.122.83.174:80, 87.122.83.174:8080, 93.176.229.145:1234, 93.58.136.167:80 and 93.58.136.167:8080 |
Outgoing Connection |
Process /var/tmp/apache2 started listening on ports: 1234, 8080 and 8189 |
Listening |
Process /var/tmp/apache2 attempted to access suspicious domains: adsl, cgocable.net, coolideas.co.za, dsnet, prod-infinitum.com.mx, ptd.net, sileman.net.pl, tre.se and vodafone-ip.de |
Access Suspicious Domain Outgoing Connection |
Process /var/tmp/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /var/tmp/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 33 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 13 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 13 times |
Download and Execute |
The file /var/tmp/php-fpm was downloaded and executed 8 times |
Download and Execute |
Connection was closed due to timeout |
|