IP Address: 61.181.247.238Previously Malicious
IP Address: 61.181.247.238Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute |
Associated Attack Servers |
13.208.252.169 35.165.157.76 62.216.223.81 64.202.133.113 96.126.124.197 103.132.196.106 172.64.200.11 |
IP Address |
61.181.247.238 |
|
Domain |
- |
|
ISP |
China Telecom |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-07-29 |
Last seen in Akamai Guardicore Segmentation |
2022-11-18 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
System file /etc/ifconfig was modified 4 times |
System File Modification |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /etc/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 1280 times |
Download and Execute |
Process /etc/ifconfig scanned port 1234 on 33 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /etc/ifconfig scanned port 80 on 33 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /etc/ifconfig scanned port 1234 on 42 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /bin/nc.openbsd scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 33 IP Addresses |
Port 1234 Scan |
Process /etc/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 103.105.12.48:1234, 107.171.97.149:80, 11.253.128.194:80, 110.185.9.240:80, 111.53.11.130:1234, 117.16.44.111:1234, 117.80.212.33:1234, 118.132.236.157:80, 118.218.209.149:1234, 118.41.204.72:1234, 12.233.153.91:80, 12.251.127.213:80, 12.49.192.18:80, 125.115.230.99:80, 129.120.22.82:80, 13.38.83.64:80, 133.211.118.159:80, 139.236.129.29:80, 142.250.191.228:443, 147.182.233.56:1234, 151.50.111.145:80, 158.177.194.150:80, 158.76.37.21:80, 159.39.153.201:80, 161.107.113.34:1234, 161.70.98.32:1234, 171.58.225.6:80, 172.64.201.11:443, 183.213.26.13:1234, 183.89.83.198:80, 185.210.144.122:1234, 190.60.239.44:1234, 191.167.67.153:80, 191.242.182.210:1234, 195.93.29.230:80, 2.182.210.80:80, 201.100.32.97:80, 202.39.125.207:80, 203.141.61.84:80, 203.233.3.123:80, 209.216.177.238:1234, 210.99.20.194:1234, 218.109.101.146:80, 218.146.15.97:1234, 219.193.116.209:80, 220.243.148.80:1234, 222.134.240.91:1234, 222.134.240.92:1234, 222.165.136.99:1234, 223.171.91.149:1234, 223.99.166.104:1234, 246.217.47.75:80, 25.172.149.139:80, 250.148.239.119:80, 40.146.105.186:80, 43.242.247.139:1234, 47.229.11.132:80, 51.159.19.47:1234, 51.75.146.174:443, 54.67.220.218:80, 56.143.245.73:80, 58.229.125.66:1234, 59.3.186.45:1234, 61.77.105.219:1234, 62.12.106.5:1234, 64.227.132.175:1234, 68.154.228.149:80, 7.210.180.79:80, 70.168.89.176:80, 72.142.222.194:80, 76.177.80.26:80, 77.180.45.206:80, 8.8.4.4:443, 8.8.8.8:443, 80.147.162.151:1234, 95.154.21.210:1234, 95.154.21.210:2222, 98.116.34.142:80 and 99.200.180.229:80 |
Outgoing Connection |
Process /etc/ifconfig started listening on ports: 1234, 8085 and 8180 |
Listening |
Process /etc/ifconfig attempted to access suspicious domains: sefiber.dk |
Access Suspicious Domain Outgoing Connection |
Process /etc/ifconfig scanned port 80 on 42 IP Addresses |
Port 1234 Scan Port 80 Scan |
Connection was closed due to timeout |
|
/var/tmp/dota3.tar.gz |
SHA256: 7010049319b427effbaf8cab920e126de2061e285b0394feea0e8ee6c815381f |
176128 bytes |