IP Address: 96.79.124.153Previously Malicious
IP Address: 96.79.124.153Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Connect-Back, Scanner |
Services Targeted |
SCP SSH |
Tags |
Superuser Operation Listening Outgoing Connection SCP 2 Shell Commands Port 8080 Scan Port 80 Scan Access Suspicious Domain Successful SSH Login Port 22 Scan SSH Download File |
Associated Attack Servers |
20.226.252.120 20.242.57.215 23.94.56.185 34.101.142.226 38.52.134.41 39.75.40.218 46.13.164.29 47.200.122.170 49.233.159.222 52.236.133.183 57.32.89.113 59.108.161.109 66.228.25.104 82.157.50.152 83.31.49.133 84.51.27.145 85.13.84.201 99.42.76.201 101.42.90.177 103.120.223.29 104.243.211.88 107.175.215.247 115.91.2.152 116.110.51.135 123.240.33.23 124.223.63.43 125.130.183.146 138.158.53.114 158.112.194.18 |
IP Address |
96.79.124.153 |
|
Domain |
- |
|
ISP |
Comcast Business |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-11-09 |
Last seen in Akamai Guardicore Segmentation |
2022-11-14 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: White List |
Successful SSH Login |
/dev/shm/ifconfig was downloaded |
Download File |
A user logged in using SSH with the following credentials: root / ****** - Authentication policy: Correct Password |
Successful SSH Login |
A possibly malicious Superuser Operation was detected 2 times |
Superuser Operation |
Process /dev/shm/apache2 scanned port 22 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 10 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 22 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 generated outgoing network traffic to: 100.251.22.48:80, 100.251.22.48:8080, 101.120.103.222:80, 101.120.103.222:8080, 104.21.25.86:443, 11.69.62.93:80, 11.69.62.93:8080, 123.121.172.60:80, 123.121.172.60:8080, 125.130.183.146:1234, 126.93.208.1:80, 126.93.208.1:8080, 136.69.53.240:22, 138.53.127.66:80, 138.53.127.66:8080, 142.193.174.188:80, 142.193.174.188:8080, 144.172.78.10:80, 144.172.78.10:8080, 148.193.62.243:80, 148.193.62.243:8080, 151.167.113.159:22, 155.158.245.195:22, 158.112.194.18:2222, 166.105.137.182:80, 166.105.137.182:8080, 17.215.220.81:80, 17.215.220.81:8080, 17.226.85.160:80, 17.226.85.160:8080, 172.67.133.228:443, 176.77.112.161:2222, 184.94.86.137:80, 184.94.86.137:8080, 189.35.40.22:22, 195.138.68.98:80, 195.138.68.98:8080, 195.38.221.67:80, 195.38.221.67:8080, 203.253.105.31:80, 203.253.105.31:8080, 212.57.36.20:1234, 217.246.96.102:80, 217.246.96.102:8080, 217.70.110.149:2222, 218.47.73.66:80, 218.47.73.66:8080, 222.165.136.99:1234, 27.28.90.147:80, 27.28.90.147:8080, 3.103.203.165:22, 30.199.220.105:80, 30.199.220.105:8080, 34.101.142.226:2222, 37.175.29.110:80, 37.175.29.110:8080, 37.55.26.118:80, 37.55.26.118:8080, 38.211.101.196:80, 38.211.101.196:8080, 43.240.61.129:80, 43.240.61.129:8080, 46.13.164.29:1234, 51.75.146.174:443, 52.236.133.183:1234, 55.247.110.191:80, 55.247.110.191:8080, 57.32.89.113:2222, 59.108.161.109:1234, 6.93.114.103:80, 6.93.114.103:8080, 66.228.25.104:2222, 71.237.183.165:80, 71.237.183.165:8080, 73.200.28.211:22, 76.132.23.36:22, 77.111.163.250:80, 77.111.163.250:8080, 79.48.48.34:22, 83.60.203.10:80, 83.60.203.10:8080, 88.105.123.59:80, 88.105.123.59:8080, 88.190.212.57:80, 88.190.212.57:8080, 95.111.104.29:80, 95.111.104.29:8080, 96.79.124.153:1234 and 97.137.83.239:22 |
Outgoing Connection |
Process /dev/shm/apache2 started listening on ports: 1234, 8081 and 8185 |
Listening |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 scanned port 80 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Process /dev/shm/apache2 attempted to access suspicious domains: comcastbusiness.net, googleusercontent.com, sinor.ru and tmcz.cz |
Access Suspicious Domain Outgoing Connection |
Process /dev/shm/apache2 scanned port 8080 on 32 IP Addresses |
Port 22 Scan Port 80 Scan Port 8080 Scan |
Connection was closed due to timeout |
|
/var/tmp/dota3.tar.gz |
SHA256: 4ec0cfc7f7017c761367fed91f7786484b1f4bf6c7eb0b6edf3738fa7abc2a77 |
5684230 bytes |