IP Address: 89.166.129.13Previously Malicious
IP Address: 89.166.129.13Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 2222 Scan Port 8080 Scan 3 Shell Commands SSH Superuser Operation Port 80 Scan Successful SSH Login Outgoing Connection Access Suspicious Domain Listening |
Associated Attack Servers |
1.116.42.111 1.169.243.14 13.124.116.69 41.228.22.107 45.153.186.205 47.40.17.213 52.15.224.229 59.20.195.200 64.29.188.196 69.13.191.21 71.85.144.193 72.245.191.12 75.9.208.121 82.173.4.191 86.107.187.239 95.1.169.70 123.180.150.170 124.221.162.244 124.222.239.192 129.194.122.60 134.221.247.220 136.103.97.217 137.3.156.241 151.84.89.90 152.32.174.108 154.240.94.224 157.121.183.34 160.106.197.79 170.233.154.244 |
IP Address |
89.166.129.13 |
|
Domain |
- |
|
ISP |
EWE-Tel GmbH |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-24 |
Last seen in Akamai Guardicore Segmentation |
2022-03-25 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 generated outgoing network traffic to: 102.1.87.237:80, 102.1.87.237:8080, 104.21.25.86:443, 110.235.36.218:80, 110.235.36.218:8080, 123.180.150.170:1234, 124.50.208.124:2222, 126.150.238.26:80, 126.150.238.26:8080, 13.124.116.69:1234, 13.179.52.144:80, 13.179.52.144:8080, 132.46.180.167:80, 132.46.180.167:8080, 138.212.116.164:80, 138.212.116.164:8080, 139.75.239.116:2222, 14.20.5.89:80, 14.20.5.89:8080, 141.4.17.246:2222, 144.90.122.21:80, 144.90.122.21:8080, 147.12.80.71:80, 147.12.80.71:8080, 151.64.136.155:80, 151.64.136.155:8080, 154.240.94.224:22, 157.121.183.34:22, 157.39.190.172:2222, 162.92.106.218:80, 162.92.106.218:8080, 172.152.127.235:80, 172.152.127.235:8080, 172.67.133.228:443, 175.119.226.2:80, 175.119.226.2:8080, 176.217.80.209:22, 181.156.233.12:80, 181.156.233.12:8080, 183.40.217.20:80, 183.40.217.20:8080, 191.249.236.85:1234, 193.151.91.19:2222, 199.158.157.103:80, 199.158.157.103:8080, 21.181.25.127:80, 21.181.25.127:8080, 216.145.42.48:80, 216.145.42.48:8080, 216.97.244.54:2222, 218.46.20.82:80, 218.46.20.82:8080, 240.153.54.195:80, 240.153.54.195:8080, 246.142.169.164:80, 246.142.169.164:8080, 246.148.36.178:2222, 27.54.170.52:1234, 30.192.6.126:80, 30.192.6.126:8080, 32.250.217.35:2222, 37.237.233.219:80, 37.237.233.219:8080, 38.179.66.118:80, 38.179.66.118:8080, 38.230.137.187:80, 38.230.137.187:8080, 38.237.1.122:80, 38.237.1.122:8080, 45.153.186.205:1234, 48.10.129.223:80, 48.10.129.223:8080, 51.75.146.174:443, 54.142.213.59:80, 54.142.213.59:8080, 65.169.86.121:80, 65.169.86.121:8080, 7.183.45.123:80, 7.183.45.123:8080, 72.108.141.186:80, 72.108.141.186:8080, 74.197.154.194:2222, 75.9.208.121:22, 81.14.177.245:80, 81.14.177.245:8080, 82.173.4.191:1234, 86.107.187.239:1234, 95.1.169.70:22 and 99.74.134.169:2222 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8085 and 8181 |
Listening |
Process /dev/shm/apache2 attempted to access suspicious domains: gvt.net.br, hosted-by-mvps.net, trined.nl and versatel.nl |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 32 IP Addresses 2 times |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 2222 on 10 IP Addresses |
Port 2222 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|