IP Address: 91.144.192.235Previously Malicious
IP Address: 91.144.192.235Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP |
Tags |
Download File SSH Superuser Operation Successful SSH Login Download and Execute SCP Download and Allow Execution |
Associated Attack Servers |
2.2.29.107 2.219.123.238 4.3.198.152 10.33.0.9 18.207.114.81 36.84.63.238 37.25.54.162 42.194.138.246 42.231.63.152 74.76.241.195 77.134.2.153 80.147.162.151 90.23.240.185 114.132.242.231 117.50.179.61 159.17.175.142 167.17.3.226 171.190.247.104 191.134.53.216 209.105.170.32 252.29.93.184 |
IP Address |
91.144.192.235 |
|
Domain |
- |
|
ISP |
Stofa |
|
Country |
Denmark |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-03-27 |
Last seen in Akamai Guardicore Segmentation |
2022-03-29 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 2 times |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /tmp/ifconfig was downloaded and executed 5 times |
Download and Execute |
Process /tmp/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.17.67.191:80, 1.17.67.191:8080, 101.43.152.105:1234, 106.101.40.3:80, 106.101.40.3:8080, 108.125.121.12:80, 108.125.121.12:8080, 109.79.154.75:2222, 111.147.179.137:2222, 113.250.114.143:80, 113.250.114.143:8080, 114.102.88.102:80, 114.102.88.102:8080, 128.39.243.123:80, 128.39.243.123:8080, 132.10.241.185:80, 132.10.241.185:8080, 150.158.45.127:1234, 157.241.220.192:80, 157.241.220.192:8080, 157.4.198.163:80, 157.4.198.163:8080, 170.153.81.142:80, 170.153.81.142:8080, 172.6.4.26:1234, 180.149.121.177:2222, 182.117.47.7:2222, 185.172.95.131:80, 185.172.95.131:8080, 186.128.139.158:80, 186.128.139.158:8080, 193.8.232.82:80, 193.8.232.82:8080, 196.123.25.84:80, 196.123.25.84:8080, 196.16.22.227:80, 196.16.22.227:8080, 196.212.128.223:80, 196.212.128.223:8080, 198.233.126.67:80, 198.233.126.67:8080, 199.1.52.247:80, 199.1.52.247:8080, 203.14.204.11:22, 204.2.136.222:22, 206.230.127.238:80, 206.230.127.238:8080, 206.28.28.102:22, 21.179.57.136:22, 216.206.148.32:80, 216.206.148.32:8080, 220.179.231.254:1234, 221.109.74.101:80, 221.109.74.101:8080, 222.165.136.99:1234, 242.128.227.112:80, 242.128.227.112:8080, 244.193.2.18:80, 244.193.2.18:8080, 245.81.155.199:2222, 28.27.210.112:80, 28.27.210.112:8080, 3.133.124.243:1234, 39.119.166.140:80, 39.119.166.140:8080, 40.215.21.36:80, 40.215.21.36:8080, 45.244.231.185:80, 45.244.231.185:8080, 47.165.31.50:2222, 5.161.42.72:1234, 51.75.146.174:443, 56.13.219.145:80, 56.13.219.145:8080, 67.239.208.146:80, 67.239.208.146:8080, 74.138.4.225:80, 74.138.4.225:8080, 75.100.191.159:80, 75.100.191.159:8080, 76.171.141.58:22, 78.15.30.218:22, 8.180.18.195:2222, 81.109.181.52:22, 82.66.103.252:80, 82.66.103.252:8080, 92.107.105.207:2222 and 94.242.251.137:22 |
Outgoing Connection |
Process /tmp/ifconfig started listening on ports: 1234, 8081 and 8181 |
Listening |
The file /tmp/apache2 was downloaded and executed 188 times |
Download and Execute |
Process /tmp/ifconfig scanned port 80 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig scanned port 8080 on 32 IP Addresses 2 times |
Port 80 Scan Port 8080 Scan |
Process /tmp/ifconfig attempted to access suspicious domains: adsl, sbcglobal.net, server.lu, ubet.com and virginm.net |
Access Suspicious Domain Outgoing Connection |
The file /usr/local/bin/dash was downloaded and executed |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 53 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 6 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 3 times |
Download and Execute |
The file /tmp/php-fpm was downloaded and executed 5 times |
Download and Execute |
Connection was closed due to timeout |
|