IP Address: 95.91.13.81Previously Malicious
IP Address: 95.91.13.81Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SCP SSH |
Tags |
Port 1234 Scan SSH 6 Shell Commands Listening SCP Port 80 Scan Port 8080 Scan Superuser Operation Download and Allow Execution Successful SSH Login Download and Execute Download File Outgoing Connection |
Associated Attack Servers |
2.22.69.199 37.35.39.171 87.20.120.247 95.154.21.210 112.187.160.216 123.132.238.210 142.44.160.173 172.64.110.32 172.64.111.32 198.211.98.82 209.216.177.238 222.121.63.87 |
IP Address |
95.91.13.81 |
|
Domain |
- |
|
ISP |
Vodafone Kabel Deutschland |
|
Country |
Germany |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-07-23 |
Last seen in Akamai Guardicore Segmentation |
2022-09-27 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password 5 times |
Successful SSH Login |
/tmp/ifconfig was downloaded |
Download File |
./ifconfig was downloaded |
Download File |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
The file /root/ifconfig was downloaded and executed 5 times |
Download and Execute |
The file /root/apache2 was downloaded and executed 115 times |
Download and Execute |
Process /root/ifconfig scanned port 1234 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 26 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 1234 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 1234 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /bin/bash scanned port 1234 on 26 IP Addresses 2 times |
Port 1234 Scan |
Process /root/ifconfig generated outgoing network traffic to: 1.1.1.1:443, 1.220.98.197:1234, 103.90.177.102:1234, 108.85.34.252:80, 108.85.34.252:8080, 11.202.110.78:80, 11.202.110.78:8080, 11.98.24.250:80, 11.98.24.250:8080, 118.182.40.190:80, 118.182.40.190:8080, 120.240.112.3:80, 120.240.112.3:8080, 120.31.133.162:1234, 121.8.241.108:80, 121.8.241.108:8080, 123.132.238.210:1234, 124.115.231.214:1234, 128.189.145.17:80, 128.189.145.17:8080, 139.209.222.134:1234, 150.190.32.197:80, 150.190.32.197:8080, 150.3.145.72:80, 150.3.145.72:8080, 151.193.251.227:80, 151.193.251.227:8080, 16.243.126.33:80, 16.243.126.33:8080, 160.159.136.138:80, 160.159.136.138:8080, 160.69.242.2:80, 160.69.242.2:8080, 161.107.113.27:1234, 182.224.177.56:1234, 184.83.112.246:1234, 185.210.144.122:1234, 189.116.76.201:80, 189.116.76.201:8080, 190.138.240.233:1234, 190.138.240.233:22, 191.242.188.103:1234, 193.85.64.74:80, 193.85.64.74:8080, 198.137.1.32:80, 198.137.1.32:8080, 20.141.185.205:1234, 201.129.2.66:80, 201.129.2.66:8080, 207.111.200.174:80, 207.111.200.174:8080, 209.216.177.238:1234, 209.216.177.238:2222, 215.174.165.60:80, 215.174.165.60:8080, 222.103.98.58:1234, 222.134.240.91:1234, 223.161.194.63:80, 223.99.166.104:1234, 24.39.230.74:80, 24.39.230.74:8080, 241.9.83.236:80, 241.9.83.236:8080, 253.74.107.229:80, 253.74.107.229:8080, 31.19.237.170:1234, 35.226.244.169:80, 36.134.49.208:80, 39.175.68.100:1234, 45.120.216.114:1234, 5.83.62.231:80, 5.83.62.231:8080, 51.159.19.47:1234, 59.132.139.33:80, 59.132.139.33:8080, 59.3.186.45:1234, 61.209.195.162:80, 77.234.9.189:80, 77.234.9.189:8080, 84.204.148.99:1234, 86.200.72.252:80, 95.108.99.88:80, 95.108.99.88:8080, 95.14.82.69:80, 95.14.82.69:8080 and 95.154.21.210:1234 |
Outgoing Connection |
Process /root/ifconfig started listening on ports: 1234, 8082 and 8186 |
Listening |
Process /root/ifconfig scanned port 80 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 32 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 80 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
Process /root/ifconfig scanned port 8080 on 27 IP Addresses |
Port 1234 Scan Port 80 Scan Port 8080 Scan |
The file /usr/bin/free was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|
/var/tmp/ifconfig |
SHA256: 2aacc3f6c14a2bd120ce9f7cab7af1f4d3e207bea33d56f02a14f75613a7930c |
786432 bytes |
/var/tmp/ifconfig |
SHA256: 331f1ead3df8fed58ccf68da781f34b2f228a5c37f3bb245b836a4b49b1cf269 |
557056 bytes |
/var/tmp/ifconfig |
SHA256: 376f8f665f43984bf5aa16524421600b638fc1a7b331e8ac78b60a387fcf8dbb |
2621440 bytes |
/var/tmp/ifconfig |
SHA256: 3b9707d2b3c510499a866fe655f57f05eba1eb55566b03979602e5b9d6616a05 |
655360 bytes |
/var/tmp/ifconfig |
SHA256: 8a53c1d12942d21d2876a4b8d1eeed8a33a4a9d9f6d1ff3474980278e76a7cc9 |
1310720 bytes |
/var/tmp/ifconfig |
SHA256: 8a80c7f19c03dc2a33a1f698b2bf2acf83fb6fd9f7c78a3a66541327a8bf62d4 |
425984 bytes |
/var/tmp/ifconfig |
SHA256: 9f26c9e5240ac92baa25aadfd4f23dcb35723982204e00da5cbfb5cb88bf56af |
1867776 bytes |
/root/ifconfig |
SHA256: b2712bdabd192560eb201c14818ff1368c742242fee50fb164ef9f84142462fc |
2031616 bytes |