IP Address: 81.68.166.127Malicious
IP Address: 81.68.166.127Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login Port 22 Scan Access Suspicious Domain Download File Port 80 Scan Outgoing Connection 2 Shell Commands Port 8080 Scan Superuser Operation Listening SSH SCP |
Associated Attack Servers |
3s.pl 61.in-addr.arpa amazonaws.com attdns.com az1am5.shop cerfnet.com codetel.net.do fidnet.com gvt.net.br koalanet.ne.jp mchsi.com orangero.net ovh.ca ovh.net ovo.sc poneytelecom.eu spd-mgts.ru stofanet.dk surfer.at telenet.be telenormobil.no veloxzone.com.br wind.it 1.1.1.1 1.14.166.163 1.15.13.216 1.15.102.11 2.149.75.247 3.91.21.110 3.236.164.187 4.1.122.16 5.57.102.125 5.173.117.137 5.188.79.92 6.152.195.109 6.199.92.177 6.227.155.164 7.115.244.137 7.134.44.151 9.151.125.199 15.116.78.151 15.230.196.152 17.41.66.207 17.109.12.26 17.191.171.184 18.1.102.146 18.53.198.118 18.86.62.44 18.212.180.57 18.234.239.64 20.58.184.140 20.64.226.15 20.111.78.83 |
IP Address |
81.68.166.127 |
|
Domain |
- |
|
ISP |
Tencent Cloud Computing (Beijing) Co. |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-04-08 |
Last seen in Akamai Guardicore Segmentation |
2023-04-19 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/ifconfig scanned port 22 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 103.162.80.102:2222, 104.21.25.86:443, 104.248.34.146:1234, 106.45.99.247:80, 106.45.99.247:8080, 117.18.146.154:22, 117.216.238.200:80, 117.216.238.200:8080, 120.64.61.122:22, 120.66.204.25:22, 133.131.61.130:22, 138.50.102.198:80, 138.50.102.198:8080, 140.174.10.50:2222, 140.234.229.200:80, 140.234.229.200:8080, 144.195.134.64:80, 144.195.134.64:8080, 145.105.108.164:80, 145.105.108.164:8080, 149.18.217.111:80, 149.18.217.111:8080, 15.111.3.60:80, 15.111.3.60:8080, 152.11.169.11:80, 152.11.169.11:8080, 154.96.245.61:22, 16.186.217.193:22, 172.67.133.228:443, 173.82.48.12:1234, 18.53.198.118:2222, 18.78.21.175:80, 18.78.21.175:8080, 180.109.164.131:1234, 182.222.204.79:80, 182.222.204.79:8080, 191.20.189.158:2222, 197.204.123.100:80, 197.204.123.100:8080, 2.175.212.149:80, 2.175.212.149:8080, 2.3.157.30:80, 2.3.157.30:8080, 207.32.35.190:80, 207.32.35.190:8080, 209.148.101.25:2222, 21.24.253.30:80, 21.24.253.30:8080, 21.26.199.202:80, 21.26.199.202:8080, 22.122.170.203:22, 23.83.38.43:80, 23.83.38.43:8080, 245.89.60.47:80, 245.89.60.47:8080, 253.81.168.27:80, 253.81.168.27:8080, 3.91.21.110:1234, 35.170.191.119:1234, 35.208.216.209:80, 35.208.216.209:8080, 39.37.46.162:80, 39.37.46.162:8080, 43.242.247.139:1234, 57.172.184.198:80, 57.172.184.198:8080, 59.97.207.17:80, 59.97.207.17:8080, 62.217.218.168:2222, 68.8.112.188:80, 68.8.112.188:8080, 72.30.177.105:80, 72.30.177.105:8080, 79.41.33.36:80, 79.41.33.36:8080, 8.52.205.222:80, 8.52.205.222:8080, 81.68.166.127:1234, 85.154.9.100:80, 85.154.9.100:8080, 89.204.118.40:80, 89.204.118.40:8080, 90.9.31.218:22, 96.37.113.29:22, 97.187.180.116:80, 97.187.180.116:8080, 97.72.214.156:80 and 97.72.214.156:8080 |
Outgoing Connection |
Process /dev/shm/ifconfig started listening on ports: 1234, 8085 and 8182 |
Listening |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/ifconfig attempted to access suspicious domains: orangero.net, vivozap.com.br and yhsrv.com |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/ifconfig scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 64cdfd97a3e22fde4245d682910b8c7b130ce93adda909f9cdd90f8c68d92fc1 |
2862704 bytes |
/var/tmp/php-fpm |
SHA256: d9ee6cbbc40b3b337e3af157b14a1e7ac276c9f27c2efcd8daa21ded4bd810b6 |
2875940 bytes |