IPMediumSignal 64/100
167.94.138.117
Location
United StatesAnn Arbor, Michigan
ASN
AS398324
Censys, Inc
First Seen
Jan 25, 2022
Last Seen
Jun 18, 2026
Found in 39 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
64%
Signal Score
64 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionAnn Arbor, Michigan
ASNAS398324
OrganizationCensys, Inc
IP Category
⟲
Proxy
Proxy server
⊕
VPN
VPN exit node
Feed Intelligence Summary
39 reports64% confidence
39
Source reports
64%
Confidence score
Category tags
abuseaccessactive scanactive scanningadbadb brute forceadb scanningadbhoney activityadbhoney alertsadbhoney honeypotamerican express companyanomalous network connectionsaptasiaattackattacker-ipaustraliaauthenticationauthentication abuseauthentication attemptsauthentication failureauthentication-attemptsautomated attackautomated attacksautomated enumerationautomated reconnaissance activityautomated threatautomated-attackbad reputationbad web botblock listblock.txtblockedblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcec2c2 communicationc2 servercanadacensys-benignchinachina mobileciscocisco activitycisco asacisco attackcisco attackscisco brute forcecisco devicecisco device attackcisco device attackscisco device scanningcisco device targetedcisco device targetingcisco exploit attemptcisco exploitationcisco exploitation attemptcisco exploitation attemptscisco vulnerability scancitrix attack attemptcitrix exploitation attemptcitrix exploitation attemptscitrix securitycitrix vulnerability scanclosecloud infrastructurecode executioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised host detectioncompromised hostscompromised system attemptconfiguration manipulationconfiguration modificationconnectconnected devicesconpotconpot activityconpot honeypotconpot ics attacksconpot ics exploitationcowriecowrie activitycowrie attackscowrie detectedcowrie detected activitycowrie honeypotcowrie honeypot detectioncowrie interactioncowrie interactionscowrie login attemptscowrie logscowrie sshcowrie ssh attackcowrie ssh attackscowrie ssh honeypotcredential accesscredential attackcredential attackscredential brute forcecredential brute-forcingcredential compromisecredential guessingcredential harvestingcredential stuffingcredential-stuffingcredential_accesscron injectionctacvecyber securitydaily_sourcesdata encryptiondata exfiltrationdata exfiltration attemptdata harvestingdata harvesting attemptsdata store exposuredata theftdatabase attackdatabase attacksdatabase brute forcedatabase intrusion attemptdatabase probingdatabase scandatabase securityddosddos attackddos attack indicatorsddos attemptddos preparationddos probeddos probingddos reflectiondecoy systemdefense evasiondenial of servicedenial-of-servicedenial-of-service attemptdenied connectiondevice managementdictionary attackdigital oceandionaeadionaea activitydionaea attackdionaea attacksdionaea detectiondionaea honeypotdionaea interactionsdionaea malware analysisdionaea malware collectiondionaea malware samplesdionaea payloadsdirectory traversal attemptdistributed attacksdnsdns attackdropperelasticpot activityelasticpot attackselasticpot honeypotelasticsearch monitoringemailencryptionenterprise networkingenterprise securityenumerationeu cyber policieseuropeexecutable fileexfiltrationexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit public-facing applicationexploit scanexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexternal access attemptsexternal threatfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin scanfinlandfirewall actionfirewall blockfrancefraud voipftpftp attackftp attacksftp brute forceftp brute-forceftp bruteforceftp scangeckogermanygithubglobalgroupshackinghelloheralding activityheralding attacksheralding probeshk abusehandlerhoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp probinghttp request anomalieshttp scannerhttp scanninghttp/shttpshttps scanninghuaweihurricane usicmpics securityics/scadaics/scada attackidentity & access exploitationimapindicatorindicators of compromiseindustrial control systemsindustrial iotinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinitial accessinjection activityinjection attacksintel macinternet of thingsinternet-facinginternet-facing serviceintrusion detectioniociocsiosiot analyticsiot applicationsiot device targetingiot platformsiot securityiot targetediot/ics attackipmi scanningipphoney activityipphoney honeypotipv4khtmllamplamp activitylamp attacklamp attack attemptlamp attackslamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability scanlateral movementlateral movement attemptlateral movement techniqueslcialinuxlinux serverslinux systemslinux targetlinux x8664linux-server-attacklinux-server-attackslinux_server_attacksloginlogin attacklogin attemptlogin attemptsmac osmail protocol abusemailoney activitymailoney attackmailoney attacksmailoney detectedmailoney eventsmailoney honeypotmailoney interactionsmalicious activitymalicious activity detectedmalicious emailmalicious email detectionmalicious file transfermalicious ip activitymalicious ip detectedmalicious login attemptsmalicious network activitymalicious payloadmalicious payload attemptmalicious payload attemptsmalicious payload detectionmalicious scanmalicious sftp activitymalicious sip activitymalicious softwaremalicious software detectionmalicious ssh activitymalicious trafficmalicious-activitymalicious-login-attemptsmalicious_activitymalwaremalware activitymalware analysismalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware distribution attemptmalware distribution attemptsmalware downloadmalware hostingmalware installationmalware landingmalware probingmalware propagationmalware propagation attemptmalware_activitymanualmobilemobile securitymobile threatmodule loadingmonthlymssqlmssql brute forcemysql brute forcenation-state activitynetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork_intrusionnorth americanull scanoceaniaopen proxyoriginos fingerprintingos xp0fp0f fingerprintingp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword crackingpassword sprayingpassword-guessingpgp signphishingphishing attackphishing attemptphishing trapphp exploitation attemptspolandport-scanningpossible botnet activitypossible exploit attemptpossible malware distributionpossible malware infectionpossible malware propagationpossible mirai variantpossible reconnaissancepotential botnetpotential botnet activitypotential compromisepotential credential theftpotential exploitpotential exploit activitypotential exploit attemptspotential intrusionpotential malicious activitypotential malwarepotential malware deliverypotential malware deploymentpotential malware distributionpotential malware infectionpotential threat activityprivilege escalationprocess injectionprotocol abuseprotocol exploitationprotocol-abuseproxypythonransomwareransomware activityrcerdp attacksreconnaissancereconnaissance activityredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityredis honeypot detectedredishoneypotredishoneypot activityregional securityremote accessremote access attackremote access attemptremote access attemptsremote code executionremote service exploitationremote servicesreplication attackresearchedresource developmentresource hijackingsansscams & fraudscannerscanner detectionscannersscanning activityscriptscripting attackssecurity operationssensor-taggedsentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer datasentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer sip attacksserver exploitationservice discoveryservice enumerationservice scanservice scanningsftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp bruteforcesftp exploitation attemptssftp intrusion attemptsftp probingsftp protocolsftp scanningsftp-attacksipsip activitysip attackssip brute forcesip protocolsip scansip scanningsip vulnerability scanslaveofslugsmart devicessmb brute forcesmb scanningsmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scanningsocial engineeringsoftware exploitationspamsql injectionsql injection attemptsql injection attemptssshssh activityssh attackssh attacksssh brute-forcessh bruteforcessh key injectionssh monitoringssh protocolssh-brute-forcesurface websuricata alertsuricata alertssyn scant-pott1005t1016t1016.001t1016.002t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1047t1048t1048.003t1053t1053.005t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1064t1065t1068t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1087.001t1087.002t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204t1204.002t1210t1486t1490t1496t1497t1499.001t1499.002t1499.003t1505t1505.002t1505.003t1505.004t1547t1550t1550.002t1552.001t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1571t1572t1573t1573.001t1583t1583.001t1587.001t1588t1588.002t1588.004t1589t1590t1590.001t1590.004t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner detectedtanner detected activitytanner eventstanner exploit kittanner exploitationtanner exploitstanner honeypot activitytanner interactionstargeting databasetcptcp protocoltcp scantcp scanningtelecommunicationtelecommunicationstelnet attackstelnet threattelnet-brute-forcethreat actorthreat actor activitythreat detectionthreat intelligencethreat intelligence feedtimeouttop10.txttopips.txttor nodetpottpotcetsecubuntuudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized activityunauthorized loginunauthorized login attemptunauthorized login attemptsunauthorized-access-attemptunited kingdomunited statesunited states of americaunknown threat actorunusual network trafficusus ip addressus noneuser enumerationvalid accountsverified-benignvnc protocolvoipvoip attackvpnvpn ipvulnerability scanweb app attackweb application attackweb application attacksweb application probingweb application scanweb application scanningweb attackweb attacksweb crawling detectionweb exploitweb exploit attemptweb exploitationweb scannerweb server attackweb service attacksweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb_attackwells fargo bankwindowswindows ntxmas scan
Activity Timeline
Jun 18Jun 18
Threat Activity Heatmap
· Peak: 2026-06-18LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
64
SIGNAL
Signal Score
64%
Confidence
39
Reports
First seenJan 25, 2022
Last seenJun 18, 2026
GeolocationUS
CountryUnited States
LocationAnn Arbor, Michigan
ASNAS398324
OrgCensys, Inc
Coords42.2809, -83.7489
ProxyVPN
VirusTotal
Not checked
WHOIS
- description
- Observed on T-Pot within last 24h; sensors=honeytrap, p0f, suricata; threshold?1; private IPs excluded.
- raw
- NetRange: 167.94.138.0 - 167.94.138.255 CIDR: 167.94.138.0/24 NetName: CENSY NetHandle: NET-167-94-138-0-1 Parent: NET167 (NET-167-0-0-0-0) NetType: Direct Allocation OriginAS: AS398324 Organization: Censys, Inc. (CENSY) RegDate: 2021-09-13 Updated: 2024-03-29 Ref: https://rdap.arin.net/registry/ip/167.94.138.0 OrgName: Censys, Inc. OrgId: CENSY Address: 116 1/2 S Main Street City: Ann Arbor StateProv: MI PostalCode: 48104 Country: US RegDate: 2018-08-06 Updated: 2019-08-03 Comment: https://censys.io Ref: https://rdap.arin.net/registry/entity/CENSY OrgAbuseHandle: CAT20-ARIN OrgAbuseName: Censys Abuse Team OrgAbusePhone: +1-248-629-0125 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/CAT20-ARIN OrgNOCHandle: COT12-ARIN OrgNOCName: Censys Operations Team OrgNOCPhone: +1-248-629-0125 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/COT12-ARIN OrgTechHandle: COT12-ARIN OrgTechName: Censys Operations Team OrgTechPhone: +1-248-629-0125 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/COT12-ARIN
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 4 years ago · Last seen 3 days ago
Appeared in 39 threat reports