Akamai Guardicore Segmentation CTI

Threat Information

Role	Attacker, Scanner
Services Targeted	SSH
Tags	Users and Groups Read Password Secrets HTTP Human Download Operation Superuser Operation 11 Shell Commands System File Modification Outgoing Connection Download File Log Tampering Successful SSH Login DNS Query SSH User Created Download and Allow Execution
Associated Attack Servers	err.freewebhostingarea.com freewebhostingarea.com gh0st.coolpage.biz 72.9.150.244 142.54.187.20

Basic Information

IP Address	81.60.144.79
Domain	-
ISP	Vodafone Spain
Country	Spain
WHOIS	Created Date	-
	Updated Date	-
	Organization	-

First seen in Akamai Guardicore Segmentation	2021-08-31
Last seen in Akamai Guardicore Segmentation	2021-09-24

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List	Successful SSH Login
History File Tampering detected from /usr/sbin/sshd on the following logs: /root/.bash_history	Log Tampering
Log File Tampering detected from /usr/sbin/sshd on the following logs: /var/log/wtmp	Log Tampering
History File Tampering detected from /usr/sbin/sshd 8 times	Log Tampering
A possibly malicious Download Operation was detected	Download Operation Superuser Operation
System file /etc/passwd- was modified 9 times	System File Modification
System file /etc/passwd+ was modified 9 times	System File Modification
User usrshare was created with the password *********** and logged in using SSH	User Created Successful SSH Login
System file /etc/shadow- was modified 9 times	System File Modification
System file /etc/shadow+ was modified 9 times	System File Modification
System file /etc/subuid+ was modified 9 times	System File Modification
System file /etc/shadow.185 was modified	System File Modification
System file /etc/passwd.185 was modified	System File Modification
System file /etc/group.185 was modified	System File Modification
System file /etc/subuid.185 was modified	System File Modification
System file /etc/subgid.185 was modified	System File Modification
A possibly malicious Superuser Operation was detected	Download Operation Superuser Operation
System file /etc/nshadow was modified 9 times	System File Modification
A user logged in using SSH with the following credentials: usrshare / *********** - Authentication policy: Correct Password	Successful SSH Login
Process /usr/bin/wget attempted to access domains: gh0st.coolpage.biz	DNS Query
Process /usr/bin/wget generated outgoing network traffic to: 142.54.187.20:80	Outgoing Connection
/tmp/opa.zip was downloaded	Download File
The file /tmp/opa/go was downloaded and granted execution privileges 2 times	Download and Allow Execution
The file /tmp/opa/screen was downloaded and granted execution privileges 2 times
The file /tmp/opa/banner was downloaded and granted execution privileges	Download and Allow Execution
The file /tmp/opa/c was downloaded and granted execution privileges	Download and Allow Execution
The file /tmp/opa/filtru was downloaded and granted execution privileges	Download and Allow Execution
The file /tmp/opa/m was downloaded and granted execution privileges	Download and Allow Execution
The file /tmp/opa/pass.lst was downloaded and granted execution privileges	Download and Allow Execution
The file /tmp/opa/r was downloaded and granted execution privileges	Download and Allow Execution
Connection was closed due to timeout

Akamai Security Intelligence Group

Guardicore CENTRA

Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

Threat Information

Basic Information

Attack Flow