IP Address: 78.30.46.149Previously Malicious
IP Address: 78.30.46.149Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
8.215.36.214 13.214.241.30 31.5.132.239 42.231.29.38 44.21.97.246 52.25.89.22 64.250.24.119 68.162.216.64 68.239.238.152 80.29.39.22 82.157.50.152 82.200.244.154 83.242.223.103 93.76.148.147 93.222.217.191 101.43.63.42 102.83.120.165 102.152.89.109 103.56.113.37 126.101.164.73 131.156.242.156 148.25.226.104 160.150.158.11 180.166.165.212 180.249.77.195 184.83.112.246 193.194.91.211 199.209.179.114 210.101.83.129 |
IP Address |
78.30.46.149 |
|
Domain |
- |
|
ISP |
XTRA TELECOM S.A. |
|
Country |
Spain |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-24 |
Last seen in Akamai Guardicore Segmentation |
2022-04-20 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 194 times |
Download and Execute |
Process /tmp/apache2 scanned port 1234 on 41 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /tmp/apache2 scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /tmp/apache2 scanned port 80 on 41 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /bin/nc.openbsd scanned port 1234 on 41 IP Addresses |
Port 1234 Scan |
Process /tmp/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.150.17.233:80, 101.43.104.203:1234, 101.43.45.122:1234, 103.152.118.20:1234, 103.90.177.102:1234, 104.200.17.39:1234, 107.9.246.132:80, 111.53.11.134:1234, 121.4.175.19:1234, 122.14.222.124:1234, 123.132.238.210:1234, 124.221.73.47:1234, 124.222.191.233:1234, 130.16.58.24:80, 134.253.160.133:80, 137.21.18.213:80, 139.148.27.150:1234, 139.209.222.134:1234, 14.35.205.157:1234, 142.250.191.228:443, 149.6.183.100:80, 153.173.90.85:80, 157.193.40.83:80, 159.95.1.8:80, 161.99.142.33:80, 162.221.142.193:80, 162.221.142.193:8080, 171.28.6.225:80, 172.67.133.228:443, 174.70.19.101:80, 174.82.76.179:80, 175.123.161.28:1234, 175.178.179.67:1234, 177.195.67.95:1234, 179.230.137.66:80, 179.235.125.73:80, 18.212.180.57:1234, 183.213.26.13:1234, 190.6.66.250:1234, 192.144.229.35:1234, 195.90.209.86:1234, 197.113.123.3:80, 199.235.26.96:80, 20.92.106.247:1234, 209.216.177.158:1234, 209.216.177.158:2222, 210.99.20.194:1234, 220.179.231.169:1234, 222.121.63.87:1234, 222.121.63.87:22, 223.151.170.119:80, 26.82.214.233:80, 35.167.157.168:80, 35.167.157.168:8080, 35.182.199.17:80, 4.78.189.252:80, 40.157.56.247:80, 41.146.116.14:80, 42.231.63.160:1234, 46.21.58.160:80, 47.37.138.79:1234, 49.233.159.222:1234, 51.75.146.174:443, 54.148.40.17:443, 55.25.57.166:80, 59.2.62.58:1234, 59.79.48.216:80, 67.192.141.174:80, 69.216.156.13:80, 73.128.162.231:80, 8.8.8.8:443, 80.147.162.151:1234, 81.70.147.119:1234, 81.70.196.27:1234, 81.70.94.80:1234, 82.157.50.152:1234, 83.224.130.249:1234, 85.51.217.156:1234, 86.133.233.66:1234 and 99.230.109.102:80 |
Outgoing Connection |
Process /tmp/apache2 started listening on ports: 1234, 8085 and 8188 |
Listening |
Process /tmp/apache2 scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /tmp/apache2 attempted to access suspicious domains: tvscable.com |
Access Suspicious Domain Outgoing Connection |
The file /usr/bin/uptime was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and granted execution privileges 2 times |
Download and Allow Execution |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 19 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 5 times |
Download and Execute |
Connection was closed due to timeout |
|