IP Address: 78.30.36.153Previously Malicious
IP Address: 78.30.36.153Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 1234 Scan SSH Listening 9 Shell Commands SCP Port 80 Scan Port 8080 Scan Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute Download File Outgoing Connection |
Associated Attack Servers |
IP Address |
78.30.36.153 |
|
Domain |
- |
|
ISP |
XTRA TELECOM S.A. |
|
Country |
Spain |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-09-06 |
Last seen in Akamai Guardicore Segmentation |
2022-10-08 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/nc.openbsd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /var/tmp/apache2 scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/apache2 scanned port 1234 on 21 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/apache2 scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/apache2 scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /bin/nc.openbsd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 10 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
/tmp/ifconfig was downloaded |
Download File |
./ifconfig was downloaded |
Download File |
The file /var/tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 37 times |
Download and Execute |
Process /var/tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.40.125.163:80, 101.40.125.163:8080, 103.105.12.48:1234, 104.21.25.86:443, 104.39.83.161:80, 105.159.48.178:80, 105.159.48.178:8080, 117.142.58.108:80, 12.57.75.225:80, 120.224.34.31:1234, 120.224.34.31:22, 123.132.238.210:1234, 128.167.204.5:80, 128.167.204.5:8080, 129.160.102.139:80, 130.115.13.104:80, 130.115.13.104:8080, 141.1.107.246:80, 142.250.190.36:443, 144.210.151.124:80, 144.210.151.124:8080, 147.182.233.56:1234, 147.182.233.56:2222, 147.6.136.215:80, 147.6.136.215:8080, 157.127.102.96:80, 157.127.102.96:8080, 161.107.113.34:1234, 161.70.98.32:1234, 167.121.59.242:80, 173.18.35.41:1234, 18.124.246.141:80, 18.124.246.141:8080, 182.224.177.56:1234, 184.83.112.246:1234, 185.251.157.112:80, 185.251.157.112:8080, 19.84.209.44:80, 190.60.239.44:1234, 191.242.182.210:1234, 191.242.188.103:1234, 192.114.104.84:80, 197.199.22.94:80, 2.20.160.223:80, 2.20.160.223:8080, 202.61.203.229:1234, 209.216.177.158:1234, 216.38.159.140:80, 216.38.159.140:8080, 218.25.153.240:80, 222.121.63.87:1234, 223.171.91.127:1234, 223.171.91.149:1234, 252.34.83.248:80, 252.34.83.248:8080, 253.192.238.221:80, 253.192.238.221:8080, 29.215.179.60:80, 29.215.179.60:8080, 3.128.194.172:80, 3.128.194.172:8080, 31.19.237.170:1234, 34.2.98.225:80, 34.2.98.225:8080, 39.175.68.100:1234, 43.242.247.139:1234, 44.183.132.3:80, 44.183.132.3:8080, 45.120.216.114:1234, 51.75.146.174:443, 62.31.126.1:80, 62.31.126.1:8080, 64.157.157.170:80, 64.157.157.170:8080, 70.164.77.213:80, 70.164.77.213:8080, 78.5.201.71:80, 78.5.201.71:8080, 8.8.8.8:443, 82.66.5.84:1234, 86.133.233.66:1234, 94.153.165.43:1234 and 94.81.103.136:80 |
Outgoing Connection |
Process /var/tmp/apache2 started listening on ports: 1234, 8088 and 8184 |
Listening |
Process /var/tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/apache2 scanned port 80 on 21 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/apache2 scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /var/tmp/apache2 scanned port 8080 on 21 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 68 times |
Download and Execute |
Process /root/ifconfig started listening on ports: 1234, 8080 and 8185 |
Listening |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 2fd96aa6470f930f543ef665fcc62ffa4dfe6646b8f506c11b452a191800285b |
2392064 bytes |
/var/tmp/ifconfig |
SHA256: b2712bdabd192560eb201c14818ff1368c742242fee50fb164ef9f84142462fc |
2031616 bytes |