IP Address: 89.205.92.131Previously Malicious
IP Address: 89.205.92.131Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SSH |
Tags |
User Created Access Suspicious Domain SSH Read Password Secrets Log Tampering DNS Query Successful SSH Login Download Operation Scheduled Task Creation 31 Shell Commands System File Modification Human Outgoing Connection Users and Groups Superuser Operation |
Associated Attack Servers |
atw.hu boymkd.do.am bucharest.ro.eu.undernet.org pipera.ro.eu.undernet.org speakz.org tampa.fl.us.undernet.org uptime.energymech.net 60.190.132.243 82.76.255.62 94.125.182.255 185.198.56.60 186.233.185.155 213.174.157.140 213.174.157.150 |
IP Address |
89.205.92.131 |
|
Domain |
- |
|
ISP |
Telekabel |
|
Country |
North Macedonia |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-06-28 |
Last seen in Akamai Guardicore Segmentation |
2020-06-28 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A possibly malicious Superuser Operation was detected |
Download Operation Superuser Operation |
A possibly malicious Download Operation was detected 3 times |
Download Operation Superuser Operation |
Process /usr/bin/wget attempted to access suspicious domains: alavojda.do.am |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 213.174.157.140:443 and 213.174.157.140:80 |
Outgoing Connection |
Process /usr/bin/wget attempted to access suspicious domains: boymkd.do.am |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /usr/bin/wget generated outgoing network traffic to: 213.174.157.150:443 and 213.174.157.150:80 |
Outgoing Connection |
Process /dev/shm/.../.a/-bash attempted to access suspicious domains: atw.hu, bucharest.ro.eu.undernet.org, budapest.hu.eu.undernet.org, pipera.ro.eu.undernet.org, speakz.org, tampa.fl.us.undernet.org, undernet.org and uptime.energymech.net |
DNS Query Access Suspicious Domain Outgoing Connection |
Process /dev/shm/.../.a/-bash generated outgoing network traffic to: 185.198.56.60:6667, 186.233.185.155:6667, 82.76.255.62:6667 and 94.125.182.255:6667 |
Outgoing Connection |
History File Tampering detected from /bin/bash 3 times |
Log Tampering |
System file /etc/group- was modified 9 times |
System File Modification |
System file /etc/group was modified 9 times |
System File Modification |
System file /etc/gshadow- was modified 9 times |
System File Modification |
System file /etc/gshadow.254 was modified |
System File Modification |
User test was created with the password ********* |
User Created |
Connection was closed due to timeout |
|