IP Address: 88.249.29.57Previously Malicious
IP Address: 88.249.29.57Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
|
Role |
Attacker, Scanner |
|
Services Targeted |
SCP |
|
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
|
Associated Attack Servers |
12.228.90.41 16.14.245.82 20.192.77.247 24.224.3.160 30.102.62.78 30.223.245.161 37.103.149.153 45.32.89.249 46.247.148.158 58.221.116.178 62.12.106.6 99.80.176.34 124.222.158.101 134.122.131.92 145.82.221.143 145.171.58.180 159.89.155.149 171.141.241.220 199.52.175.63 210.101.83.129 220.118.58.233 241.89.105.225 |
|
IP Address |
88.249.29.57 |
|
|
Domain |
- |
|
|
ISP |
Turk Telekom |
|
|
Country |
Turkey |
|
|
WHOIS |
Created Date |
- |
|
Updated Date |
- |
|
|
Organization |
- |
|
|
First seen in Akamai Guardicore Segmentation |
2022-04-20 |
|
Last seen in Akamai Guardicore Segmentation |
2022-05-15 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
|
./ifconfig was downloaded |
Download File |
|
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
|
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
|
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
|
The file /root/apache2 was downloaded and executed 204 times |
Download and Execute |
|
Process /root/ifconfig generated outgoing network traffic to: 104.21.25.86:443, 105.34.154.73:80, 105.34.154.73:8080, 106.178.204.70:22, 107.200.136.28:80, 107.200.136.28:8080, 109.231.77.204:80, 109.231.77.204:8080, 11.176.160.249:80, 11.176.160.249:8080, 112.192.170.124:80, 112.192.170.124:8080, 113.243.101.253:80, 113.243.101.253:8080, 114.150.193.227:80, 114.150.193.227:8080, 116.98.159.165:80, 116.98.159.165:8080, 117.219.196.90:2222, 119.91.157.192:1234, 124.222.158.101:1234, 125.244.60.201:2222, 129.211.134.161:80, 129.211.134.161:8080, 13.75.169.32:80, 13.75.169.32:8080, 131.169.198.66:80, 131.169.198.66:8080, 137.214.245.12:80, 137.214.245.12:8080, 145.236.22.79:80, 145.236.22.79:8080, 145.34.157.137:2222, 147.187.157.183:2222, 149.183.217.5:2222, 149.238.205.77:80, 149.238.205.77:8080, 15.75.246.62:80, 15.75.246.62:8080, 152.73.202.217:22, 161.107.113.27:1234, 166.79.37.212:22, 167.37.185.158:80, 167.37.185.158:8080, 172.67.133.228:443, 18.99.163.4:80, 18.99.163.4:8080, 187.151.44.151:80, 187.151.44.151:8080, 189.216.183.235:80, 189.216.183.235:8080, 195.213.225.115:2222, 201.82.92.240:2222, 209.126.84.239:1234, 210.155.42.160:80, 210.155.42.160:8080, 218.37.123.185:80, 218.37.123.185:8080, 22.26.146.61:80, 22.26.146.61:8080, 222.197.13.158:80, 222.197.13.158:8080, 23.222.37.83:2222, 244.61.67.60:80, 244.61.67.60:8080, 246.18.252.113:80, 246.18.252.113:8080, 251.181.51.61:80, 251.181.51.61:8080, 32.233.123.6:80, 32.233.123.6:8080, 33.120.237.167:2222, 37.253.71.65:80, 37.253.71.65:8080, 44.191.121.13:2222, 45.32.89.249:1234, 49.184.15.49:80, 49.184.15.49:8080, 51.75.146.174:443, 58.221.116.178:1234, 61.124.174.63:80, 61.124.174.63:8080, 79.104.18.183:80, 79.104.18.183:8080, 89.121.228.38:1234, 9.16.135.25:80, 9.16.135.25:8080, 95.198.145.60:2222 and 97.25.250.152:22 |
Outgoing Connection |
|
Process /root/ifconfig started listening on ports: 1234, 8084 and 8181 |
Listening |
|
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
|
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
|
Process /root/ifconfig scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
|
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
|
Process /root/ifconfig scanned port 80 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
|
Process /root/ifconfig attempted to access suspicious domains: myvzw.com and vultrusercontent.com |
Access Suspicious Domain Outgoing Connection |
|
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
|
Process /root/ifconfig scanned port 2222 on 32 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
|
Process /root/ifconfig scanned port 8080 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
|
Process /root/ifconfig scanned port 2222 on 11 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
|
The file /root/php-fpm was downloaded and executed 46 times |
Download and Execute |
|
The file /root/php-fpm was downloaded and executed 9 times |
Download and Execute |
|
Connection was closed due to timeout |
|
© 2023 Akamai Technologies