IP Address: 51.37.172.118Previously Malicious
IP Address: 51.37.172.118Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
|
Role |
Attacker, Scanner |
|
Services Targeted |
SCP SSH |
|
Tags |
System File Modification Port 1234 Scan SSH Listening SCP Port 80 Scan Port 8080 Scan Superuser Operation 10 Shell Commands Successful SSH Login Download and Execute Download File Outgoing Connection |
|
Associated Attack Servers |
36.77.94.79 147.182.233.56 161.35.79.199 172.64.110.32 172.64.111.32 178.117.131.111 206.189.25.255 209.216.177.158 |
|
IP Address |
51.37.172.118 |
|
|
Domain |
- |
|
|
ISP |
Vodafone Ireland |
|
|
Country |
Ireland |
|
|
WHOIS |
Created Date |
- |
|
Updated Date |
- |
|
|
Organization |
- |
|
|
First seen in Akamai Guardicore Segmentation |
2022-09-05 |
|
Last seen in Akamai Guardicore Segmentation |
2022-09-27 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
|
The file /root/ifconfig was downloaded and granted execution privileges |
|
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 10 times |
Successful SSH Login |
|
/var/tmp/ifconfig was downloaded |
Download File |
|
Process /bin/bash scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
|
Process /usr/sbin/sshd scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
|
Process /etc/apache2 scanned port 1234 on 25 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /etc/apache2 scanned port 80 on 25 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /etc/apache2 scanned port 8080 on 25 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /etc/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /etc/apache2 scanned port 1234 on 17 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /bin/bash scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
|
Process /usr/sbin/sshd scanned port 1234 on 25 IP Addresses |
Port 1234 Scan |
|
System file /etc/ifconfig was modified 16 times |
System File Modification |
|
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
|
The file /etc/ifconfig was downloaded and executed 5 times |
Download and Execute |
|
System file /etc/apache2 was modified 4 times |
System File Modification |
|
The file /etc/apache2 was downloaded and executed 114 times |
Download and Execute |
|
Process /etc/apache2 generated outgoing network traffic to: 1.1.1.1:443, 103.115.105.122:80, 103.115.105.122:8080, 104.21.25.86:443, 104.231.41.61:80, 104.231.41.61:8080, 108.158.204.41:80, 108.158.204.41:8080, 118.218.209.149:1234, 118.41.204.72:1234, 119.134.28.38:80, 119.134.28.38:8080, 123.132.238.210:1234, 124.115.231.214:1234, 124.115.231.214:22, 124.223.14.100:1234, 132.133.215.32:80, 142.250.190.68:443, 150.107.95.20:1234, 151.226.95.237:80, 159.28.241.221:80, 16.215.5.134:80, 16.215.5.134:8080, 161.107.113.27:1234, 161.35.79.199:1234, 170.186.168.152:80, 170.186.168.152:8080, 173.211.210.202:80, 174.13.10.245:80, 174.13.10.245:8080, 181.44.64.114:80, 182.72.34.120:80, 182.72.34.120:8080, 190.12.120.30:1234, 190.138.240.233:1234, 208.171.58.181:80, 208.171.58.181:8080, 210.99.20.194:1234, 211.249.92.104:80, 211.249.92.104:8080, 212.57.36.20:1234, 213.25.55.27:80, 213.25.55.27:8080, 222.100.124.62:1234, 222.103.98.58:1234, 222.134.240.91:1234, 222.134.240.92:1234, 223.171.91.149:1234, 249.162.65.59:80, 252.250.96.163:80, 252.250.96.163:8080, 26.27.187.214:80, 39.175.68.100:1234, 43.242.247.139:1234, 46.13.164.29:1234, 49.166.15.82:80, 49.166.15.82:8080, 51.75.146.174:443, 53.131.151.11:80, 55.247.173.156:80, 59.3.186.45:1234, 64.227.132.175:1234, 66.120.220.42:80, 66.120.220.42:8080, 71.130.146.115:80, 71.15.49.205:80, 76.72.55.172:80, 76.72.55.172:8080, 79.231.236.49:80, 8.8.4.4:443, 8.8.8.8:443, 83.166.217.204:80, 83.166.217.204:8080, 84.204.148.99:1234, 90.230.153.125:80, 96.171.125.29:80, 97.191.160.243:80, 97.191.160.243:8080 and 97.242.150.118:80 |
Outgoing Connection |
|
Process /etc/apache2 started listening on ports: 1234, 8089 and 8186 |
Listening |
|
Process /etc/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /etc/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /etc/apache2 scanned port 80 on 17 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
Process /etc/apache2 scanned port 8080 on 17 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
|
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
|
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
|
Connection was closed due to timeout |
|
|
/var/tmp/ifconfig |
SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05 |
655360 bytes |
|
/var/tmp/ifconfig |
SHA256: fc67a5ff1acc35f9c4ef21c8429bb047e956486f2c12d401950cc7551f601195 |
2326528 bytes |
© 2023 Akamai Technologies