IP Address: 52.131.32.110Previously Malicious
IP Address: 52.131.32.110Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
146.in-addr.arpa aeza.network airtel.net aniar.ie az1am5.shop backblaze.com bbiq.jp bezeqint.net btcentralplus.com cloudfront.net cutcom.net ec-lyon.fr g30.se gigacable.com.mx gigamonster.net gtecnet.com.br gvt.net.br hbone.hu iia.cl internetia.net.pl inter.net.il jiketoys.com.cn jobo88.com.cn Majordomo.ru mchsi.com mycingular.net onvol.net opaltelecom.net ovo.sc phoenix-c.or.jp 1.13.18.11 1.141.195.85 1.223.187.182 2.29.233.28 2.36.167.212 3.63.250.53 3.91.21.110 3.133.124.243 3.185.63.138 4.19.185.228 5.13.104.211 5.70.17.78 5.156.219.10 5.161.42.72 5.188.79.92 5.249.184.103 6.4.48.77 7.134.44.151 7.171.53.175 8.215.36.214 8.221.212.20 9.82.56.14 11.94.67.230 11.139.76.1 11.211.249.155 12.23.46.220 12.67.249.216 13.42.150.221 13.87.67.199 13.203.173.212 |
IP Address |
52.131.32.110 |
|
Domain |
- |
|
ISP |
Shanghai Blue Cloud Technology Co.,Ltd |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-05 |
Last seen in Akamai Guardicore Segmentation |
2022-06-09 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
./ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed |
Download and Execute |
The file /root/apache2 was downloaded and executed 207 times |
Download and Execute |
Process /root/ifconfig scanned port 22 on 12 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 22 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 12 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 12 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 103.96.41.245:1234, 104.21.25.86:443, 11.153.111.32:80, 11.153.111.32:8080, 113.176.83.159:1234, 118.140.252.13:22, 123.132.238.210:1234, 124.221.119.17:1234, 124.223.32.141:1234, 13.67.141.247:80, 13.67.141.247:8080, 131.7.188.95:2222, 134.248.82.17:80, 134.248.82.17:8080, 135.80.208.68:80, 135.80.208.68:8080, 14.111.122.195:80, 14.111.122.195:8080, 14.150.206.189:80, 14.150.206.189:8080, 15.191.78.44:22, 152.156.191.26:80, 152.156.191.26:8080, 153.232.220.11:80, 153.232.220.11:8080, 154.218.205.85:22, 167.114.25.221:22, 168.14.53.104:80, 168.14.53.104:8080, 171.112.89.93:80, 171.112.89.93:8080, 172.67.133.228:443, 174.100.56.230:80, 174.100.56.230:8080, 195.29.245.91:80, 195.29.245.91:8080, 197.115.38.187:80, 197.115.38.187:8080, 202.44.175.198:80, 202.44.175.198:8080, 203.209.145.139:22, 204.175.85.252:80, 204.175.85.252:8080, 218.180.146.89:80, 218.180.146.89:8080, 22.250.32.43:22, 242.10.214.151:80, 242.10.214.151:8080, 245.10.136.95:22, 251.151.63.22:80, 251.151.63.22:8080, 252.15.146.76:80, 252.15.146.76:8080, 252.236.198.103:80, 252.236.198.103:8080, 30.115.48.202:80, 30.115.48.202:8080, 35.42.170.147:22, 37.135.214.106:80, 37.135.214.106:8080, 37.75.36.239:80, 37.75.36.239:8080, 42.28.28.198:22, 43.242.247.139:1234, 49.10.211.80:22, 52.104.33.59:80, 52.104.33.59:8080, 53.113.149.131:80, 53.113.149.131:8080, 54.235.239.38:1234, 58.178.196.176:22, 6.117.160.157:80, 6.117.160.157:8080, 6.87.186.171:2222, 62.207.176.156:80, 62.207.176.156:8080, 67.29.163.172:80, 67.29.163.172:8080, 69.224.39.141:80, 69.224.39.141:8080, 71.18.10.153:80, 71.18.10.153:8080, 75.104.168.159:2222, 75.130.133.100:2222, 87.253.146.114:80, 87.253.146.114:8080, 89.115.48.147:80 and 89.115.48.147:8080 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8085 and 8180 |
Listening |
Process /root/ifconfig attempted to access suspicious domains: exede.net and limerick.co.in |
Access Suspicious Domain Outgoing Connection |
Process /root/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 22 Scan Port 80 Scan Port 8080 Scan |
The file /root/php-fpm was downloaded and executed 15 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 14 times |
Download and Execute |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
The file /root/php-fpm was downloaded and executed 12 times |
Download and Execute |
The file /root/php-fpm was downloaded and executed 8 times |
Download and Execute |
The file /root/php-fpm was downloaded and granted execution privileges |
Download and Allow Execution |
The file /root/php-fpm was downloaded and executed 10 times |
Download and Execute |
Connection was closed due to timeout |
|