IP Address: 89.121.228.38Previously Malicious
IP Address: 89.121.228.38Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
SSH SCP Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute Download File |
Associated Attack Servers |
1blu.de airadvantage.net airtel.in az1am5.shop bresnan.net cloudhost.asia cultimording.org.uk easynet.net gvt.net.br health.mil herza.id iforte.net.id iia.cl infonet.ee ip-54-38-175.eu kj4l3yh8.cn krypt.com lestetelecom.com.br nttpc.ne.jp numericable.fr online.tj.cn ovo.sc spcsdns.net swisscom.ch t-com.ne.jp tele2.se telenet.be timbrasil.com.br veloxzone.com.br yokote-oroshi.jp 1.14.166.163 1.187.49.69 1.192.248.199 3.43.214.180 3.127.112.219 3.218.9.193 3.232.185.20 4.94.151.252 4.241.252.51 5.39.68.242 5.188.79.92 6.61.239.142 6.169.26.150 7.21.7.245 7.146.113.248 8.121.150.176 8.194.200.203 10.33.0.9 11.39.10.169 12.58.112.210 13.66.15.9 13.89.137.216 15.116.78.151 15.165.217.130 15.239.175.209 16.26.146.11 18.91.59.103 18.163.190.48 20.58.184.140 20.213.117.82 |
IP Address |
89.121.228.38 |
|
Domain |
- |
|
ISP |
Telekom Romania |
|
Country |
Romania |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-26 |
Last seen in Akamai Guardicore Segmentation |
2022-10-31 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 16 times |
Superuser Operation |
The file /var/tmp/ifconfig was downloaded and executed 7 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 149 times |
Download and Execute |
Process /var/tmp/apache2 scanned port 1234 on 44 IP Addresses |
Port 1234 Scan |
Process /usr/sbin/sshd scanned port 1234 on 44 IP Addresses |
Port 1234 Scan |
Process /tmp/apache2 scanned port 1234 on 44 IP Addresses |
Port 1234 Scan |
Process /root/ifconfig scanned port 1234 on 44 IP Addresses |
Port 1234 Scan |
Process /etc/ifconfig scanned port 1234 on 44 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /etc/ifconfig scanned port 1234 on 20 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /etc/ifconfig scanned port 80 on 44 IP Addresses |
Port 1234 Scan Port 80 Scan |
Process /bin/nc.openbsd scanned port 1234 on 44 IP Addresses |
Port 1234 Scan |
Process /var/tmp/apache2 scanned port 1234 on 44 IP Addresses |
Port 1234 Scan |
Process /root/apache2 scanned port 1234 on 44 IP Addresses |
Port 1234 Scan |
Process /etc/apache2 scanned port 1234 on 44 IP Addresses |
Port 1234 Scan |
Process /var/tmp/apache2 generated outgoing network traffic to: 117.80.212.33:1234, 120.236.79.182:1234, 161.107.113.27:1234, 172.64.200.11:443, 172.64.201.11:443, 184.83.112.246:1234, 209.216.177.158:1234, 222.134.240.91:1234, 222.134.240.92:1234, 223.171.91.149:1234, 223.171.91.191:1234, 51.159.19.47:1234, 51.75.146.174:443, 62.12.106.5:1234, 64.227.132.175:1234, 80.147.162.151:1234, 82.149.112.170:1234, 84.204.148.99:1234, 86.133.233.66:1234 and 94.153.165.43:1234 |
Outgoing Connection |
Process /var/tmp/apache2 started listening on ports: 1234, 8088 and 8188 |
Listening |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /tmp/apache2 was downloaded and executed 19 times |
Download and Execute |
Process /tmp/apache2 generated outgoing network traffic to: 172.64.201.11:443 |
Outgoing Connection |
./ifconfig was downloaded |
Download File |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 35 times |
Download and Execute |
Process /root/ifconfig generated outgoing network traffic to: 172.64.200.11:443 |
Outgoing Connection |
The file /etc/ifconfig was downloaded and executed 6 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 301 times |
Download and Execute |
Process /etc/ifconfig generated outgoing network traffic to: 101.23.3.89:80, 103.105.12.48:1234, 111.53.11.130:1234, 115.39.129.173:80, 116.222.72.102:80, 117.54.14.169:1234, 120.224.34.31:1234, 120.236.78.194:1234, 123.132.238.210:1234, 125.174.74.240:80, 136.129.90.198:80, 136.179.192.141:80, 137.74.51.78:80, 142.250.191.228:443, 147.182.233.56:1234, 150.140.84.231:80, 150.183.87.38:80, 151.174.64.65:80, 152.70.80.162:80, 156.96.8.246:80, 16.196.134.215:80, 161.107.113.34:1234, 161.35.79.199:1234, 172.64.200.11:443, 172.64.201.11:443, 173.18.35.41:1234, 180.131.78.10:80, 184.83.112.246:1234, 190.138.240.233:1234, 190.60.239.44:1234, 191.242.182.210:1234, 196.59.94.133:80, 210.150.192.175:80, 211.162.184.120:1234, 211.233.32.110:80, 212.57.36.20:1234, 218.146.15.97:1234, 222.100.124.62:1234, 222.103.98.58:1234, 222.134.240.91:1234, 223.171.91.160:1234, 223.171.91.191:1234, 29.92.18.58:80, 39.237.163.93:80, 43.191.50.246:80, 46.13.164.29:1234, 49.233.159.222:1234, 51.75.146.174:443, 58.229.125.66:1234, 64.227.132.175:1234, 82.66.5.84:1234, 84.204.148.99:1234, 89.212.123.191:1234 and 95.154.21.210:1234 |
Outgoing Connection |
Process /etc/ifconfig started listening on ports: 1234, 8086 and 8182 |
Listening |
The file /var/tmp/ifconfig was downloaded and executed 4 times |
Download and Execute |
The file /var/tmp/apache2 was downloaded and executed 2 times |
Download and Execute |
Process /var/tmp/apache2 generated outgoing network traffic to: 172.64.201.11:443 |
Outgoing Connection |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
Process /root/apache2 generated outgoing network traffic to: 172.64.200.11:443 |
Outgoing Connection |
The file /etc/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /etc/apache2 was downloaded and executed 745 times |
Download and Execute |
Process /etc/ifconfig scanned port 80 on 20 IP Addresses |
Port 1234 Scan Port 80 Scan |
Connection was closed due to user inactivity |
|
/var/tmp/ifconfig |
SHA256: 2fd96aa6470f930f543ef665fcc62ffa4dfe6646b8f506c11b452a191800285b |
2392064 bytes |
/var/tmp/ifconfig |
SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05 |
655360 bytes |
/var/tmp/ifconfig |
SHA256: 8e7cf70465391f66bc440eba9c30c73995725eaa95fe9f8ba9da6ecbe060c085 |
2424832 bytes |
/var/tmp/ifconfig |
SHA256: 93b5387c1ad89b1bba7a1c7ad722d5406dd174e58cd0a1de5a0684e02a83fd33 |
1474560 bytes |