IP Address: 82.66.5.84Previously Malicious
IP Address: 82.66.5.84Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 2222 Scan Access Suspicious Domain Port 8080 Scan 2 Shell Commands Download File SSH Superuser Operation Port 80 Scan Successful SSH Login Download and Execute SCP Outgoing Connection Listening Download and Allow Execution |
Associated Attack Servers |
3.91.21.110 34.143.107.72 47.96.53.184 52.75.32.165 59.9.153.67 63.44.13.106 77.71.114.47 77.167.19.98 81.70.246.178 90.189.213.136 91.201.214.184 92.212.30.70 94.153.165.43 95.71.205.141 101.33.249.92 106.191.70.151 110.119.41.143 112.140.239.227 114.203.209.75 120.224.34.31 122.24.236.156 144.230.225.29 147.46.114.218 151.91.165.104 152.136.145.180 156.189.65.141 160.153.178.49 162.14.68.185 168.121.227.39 |
IP Address |
82.66.5.84 |
|
Domain |
- |
|
ISP |
Free SAS |
|
Country |
France |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-02-25 |
Last seen in Akamai Guardicore Segmentation |
2022-10-11 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
./ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 136 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 104.165.169.212:80, 104.165.169.212:8080, 104.21.25.86:443, 110.119.41.143:22, 112.140.239.227:22, 112.41.241.219:80, 112.41.241.219:8080, 114.203.209.75:1234, 115.73.128.27:80, 115.73.128.27:8080, 120.224.34.31:1234, 121.198.137.162:80, 121.198.137.162:8080, 139.96.120.113:80, 139.96.120.113:8080, 15.242.70.10:80, 15.242.70.10:8080, 154.111.85.223:80, 154.111.85.223:8080, 154.199.111.149:80, 154.199.111.149:8080, 154.7.240.45:80, 154.7.240.45:8080, 160.153.178.49:22, 172.67.133.228:443, 174.186.124.202:80, 174.186.124.202:8080, 177.204.45.92:80, 177.204.45.92:8080, 180.163.28.139:80, 180.163.28.139:8080, 185.23.226.96:80, 185.23.226.96:8080, 19.202.226.251:80, 19.202.226.251:8080, 190.14.48.123:1234, 193.21.96.62:2222, 194.7.191.241:2222, 195.147.29.82:80, 195.147.29.82:8080, 203.23.187.56:2222, 206.31.103.44:80, 206.31.103.44:8080, 21.32.225.213:80, 21.32.225.213:8080, 212.58.187.220:80, 212.58.187.220:8080, 213.255.16.156:1234, 219.199.148.147:80, 219.199.148.147:8080, 219.37.72.216:22, 219.64.237.179:2222, 242.116.70.242:2222, 242.123.236.84:80, 242.123.236.84:8080, 245.83.95.222:2222, 250.136.180.139:2222, 26.90.235.227:80, 26.90.235.227:8080, 28.17.96.101:2222, 31.205.92.38:80, 31.205.92.38:8080, 50.190.19.74:2222, 51.75.146.174:443, 56.234.250.180:80, 56.234.250.180:8080, 58.127.184.31:80, 58.127.184.31:8080, 60.108.80.252:80, 60.108.80.252:8080, 73.91.204.85:80, 73.91.204.85:8080, 76.230.93.192:80, 76.230.93.192:8080, 77.71.114.47:1234, 81.70.246.178:1234, 83.85.183.25:80, 83.85.183.25:8080, 83.88.65.96:80, 83.88.65.96:8080, 84.195.134.208:2222, 92.212.30.70:22, 93.160.13.10:80, 93.160.13.10:8080, 94.153.165.43:1234, 94.61.160.169:80, 94.61.160.169:8080, 95.249.43.117:80 and 95.249.43.117:8080 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8082 and 8186 |
Listening |
Process /root/ifconfig attempted to access suspicious domains: bbtec.net, iia.cl, infinito.it, kyivstar.net and vodafone-ip.de |
Access Suspicious Domain Outgoing Connection |
Process /root/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 2222 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 2222 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
The file /root/php-fpm was downloaded and executed 7 times |
Download and Execute |
Connection was closed due to timeout |
|