IP Address: 84.156.17.245Previously Malicious
IP Address: 84.156.17.245Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Successful SSH Login Port 8080 Scan 7 Shell Commands Outgoing Connection Listening SSH SCP Download and Allow Execution Download and Execute Superuser Operation Port 80 Scan Download File Port 1234 Scan |
Associated Attack Servers |
IP Address |
84.156.17.245 |
|
Domain |
- |
|
ISP |
Deutsche Telekom AG |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-06-25 |
Last seen in Akamai Guardicore Segmentation |
2022-08-02 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
Process /bin/nc.openbsd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 1234 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /usr/sbin/sshd scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
Process /bin/bash scanned port 1234 on 26 IP Addresses |
Port 1234 Scan |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 5 times |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
/tmp/ifconfig was downloaded |
Download File |
./ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 142 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 1.220.98.197:1234, 104.21.25.86:443, 111.165.196.170:80, 111.165.196.170:8080, 117.54.14.169:1234, 117.80.212.33:1234, 120.236.78.194:1234, 120.236.79.182:1234, 134.205.104.94:80, 134.205.104.94:8080, 147.182.233.56:1234, 150.107.95.20:1234, 152.23.23.27:80, 153.215.253.48:80, 153.215.253.48:8080, 154.60.104.223:80, 154.60.104.223:8080, 156.61.249.125:80, 156.61.249.125:8080, 158.154.251.24:80, 158.154.251.24:8080, 161.107.113.27:1234, 161.35.79.199:1234, 161.70.98.32:1234, 165.81.166.107:80, 165.81.166.107:8080, 169.184.98.17:80, 169.184.98.17:8080, 172.67.133.228:443, 173.13.211.185:80, 173.13.211.185:8080, 173.234.21.198:80, 173.234.21.198:8080, 175.246.113.218:80, 175.246.113.218:8080, 181.130.5.80:80, 181.130.5.80:8080, 190.60.239.44:1234, 191.242.182.210:1234, 192.192.86.86:80, 192.192.86.86:8080, 2.12.246.51:80, 2.12.246.51:8080, 20.141.185.205:1234, 202.61.203.229:1234, 209.216.177.158:1234, 209.216.177.238:1234, 214.26.160.158:80, 214.26.160.158:8080, 219.214.157.17:80, 219.214.157.17:8080, 220.106.147.52:80, 220.106.147.52:8080, 220.243.148.80:1234, 222.103.98.58:1234, 250.239.102.200:80, 250.239.102.200:8080, 252.3.212.87:80, 28.130.42.228:80, 36.8.69.189:80, 36.8.69.189:8080, 38.234.216.231:80, 38.234.216.231:8080, 40.53.181.214:80, 40.53.181.214:8080, 43.242.247.139:1234, 49.233.159.222:1234, 51.75.146.174:443, 52.179.137.111:80, 52.179.137.111:8080, 61.84.162.66:1234, 62.167.65.117:80, 62.167.65.117:8080, 63.171.87.204:80, 63.171.87.204:8080, 78.222.89.142:80, 78.222.89.142:8080, 78.238.1.137:80, 8.31.236.247:80, 8.31.236.247:8080, 82.149.112.170:1234, 86.133.233.66:1234, 88.204.95.2:80, 88.204.95.2:8080, 94.153.165.43:1234, 99.237.156.245:80 and 99.237.156.245:8080 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8084 and 8185 |
Listening |
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 28 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 0714ec5521ae6a3a058ad379f0e65f8d512eda05239e9e72223a79b456e4362f |
1933312 bytes |
/var/tmp/ifconfig |
SHA256: 2fd96aa6470f930f543ef665fcc62ffa4dfe6646b8f506c11b452a191800285b |
2392064 bytes |
/var/tmp/ifconfig |
SHA256: 376f8f665f43984bf5aa16524421600b638fc1a7b331e8ac78b60a387fcf8dbb |
2621440 bytes |
/var/tmp/ifconfig |
SHA256: 60cc0b454c5174dc5ec389859f0890a7ac0733c005f894083585a4274b71de5b |
2719744 bytes |
/var/tmp/ifconfig |
SHA256: 8e7cf70465391f66bc440eba9c30c73995725eaa95fe9f8ba9da6ecbe060c085 |
2424832 bytes |
/var/tmp/ifconfig |
SHA256: 915f410de5799b81704f3695d8aa38d5da78b01b60cea17d3e0c3f162f9b0e9b |
1802240 bytes |
/var/tmp/ifconfig |
SHA256: 9516639b92dfb73072de6c5220e3ee130547680b8870c9288eccd928de847e35 |
2883584 bytes |
/root/ifconfig |
SHA256: 9f26c9e5240ac92baa25aadfd4f23dcb35723982204e00da5cbfb5cb88bf56af |
1867776 bytes |