IP Address: 81.38.13.47Previously Malicious
IP Address: 81.38.13.47Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection SCP Listening |
Associated Attack Servers |
20.119.186.97 34.158.201.86 43.216.209.119 47.57.113.127 77.55.162.43 91.201.214.184 93.245.37.177 113.56.134.60 117.50.179.29 159.75.135.54 174.57.70.66 175.24.120.21 179.241.226.114 188.47.92.186 194.189.192.181 195.137.192.250 219.142.142.244 |
IP Address |
81.38.13.47 |
|
Domain |
- |
|
ISP |
Telefonica de Espana |
|
Country |
Spain |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-27 |
Last seen in Akamai Guardicore Segmentation |
2022-03-27 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 1.1.1.1:443, 101.80.27.149:80, 101.80.27.149:8080, 11.95.220.103:80, 11.95.220.103:8080, 113.56.134.60:1234, 116.83.210.220:80, 116.83.210.220:8080, 117.50.179.29:1234, 125.40.65.110:80, 125.40.65.110:8080, 131.245.209.15:80, 131.245.209.15:8080, 142.250.191.228:443, 15.61.202.149:80, 15.61.202.149:8080, 154.98.242.201:80, 154.98.242.201:8080, 159.75.135.54:1234, 164.54.184.182:80, 164.54.184.182:8080, 172.67.133.228:443, 174.57.70.66:22, 175.24.120.21:1234, 179.241.226.114:80, 179.241.226.114:8080, 179.241.226.114:8090, 188.47.92.186:1234, 192.75.69.4:80, 192.75.69.4:8080, 193.198.157.226:80, 193.198.157.226:8080, 194.189.192.181:2222, 195.137.192.250:2222, 197.192.104.29:80, 197.192.104.29:8080, 199.135.180.108:80, 199.135.180.108:8080, 20.119.186.97:443, 20.119.186.97:80, 20.119.186.97:8080, 20.119.186.97:8090, 208.8.140.203:80, 208.8.140.203:8080, 219.142.142.244:1234, 223.149.58.181:80, 223.149.58.181:8080, 246.110.244.23:80, 246.110.244.23:8080, 247.51.185.69:80, 247.51.185.69:8080, 251.146.45.16:80, 251.146.45.16:8080, 31.102.33.211:80, 31.102.33.211:8080, 31.160.19.219:80, 31.160.19.219:8080, 33.153.39.140:80, 33.153.39.140:8080, 34.158.201.86:2222, 4.208.176.216:80, 4.208.176.216:8080, 43.216.209.119:22, 47.57.113.127:2222, 51.75.146.174:443, 56.202.93.70:80, 56.202.93.70:8080, 62.10.129.146:80, 62.10.129.146:8080, 62.73.152.67:80, 62.73.152.67:8080, 68.131.155.65:80, 68.131.155.65:8080, 7.253.137.152:80, 7.253.137.152:8080, 77.55.162.43:22, 8.8.8.8:443, 89.84.231.139:80, 89.84.231.139:8080, 91.201.214.184:1234, 93.124.28.217:80, 93.124.28.217:8080, 93.245.37.177:2222, 93.47.126.169:80, 93.47.126.169:8080, 95.71.101.198:80 and 95.71.101.198:8080 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8085 and 8186 |
Listening |
Process /dev/shm/apache2 attempted to access suspicious domains: 5uknmfq.cn, claro.net.br and t-ipconnect.de |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|