IOC Radar
IPMediumSignal 77/100

167.94.138.118

Location
United StatesUnited States
Ann Arbor, Michigan
ASN
AS398324
Censys, Inc
First Seen
Jan 25, 2022
Last Seen
Jun 18, 2026
Jan 25
First Seen
1610d ago
Jun 18
Last Seen
4d ago
40
Reports
source reports
77%
Confidence
medium
Found in 40 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
77%
Signal Score
77 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

110 techniques

Network Information

CountryUSUnited States
RegionAnn Arbor, Michigan
ASNAS398324
OrganizationCensys, Inc

IP Category

Proxy
Proxy server
VPN
VPN exit node

Feed Intelligence Summary

40 reports77% confidence
40
Source reports
77%
Confidence score
Category tags
abuseaccessaccount compromiseactive reconnaissanceactive scanactive scanningadbadb brute forceadb honeypot activityadb protocoladbhoney activityadbhoney attackadbhoney detectionadbhoney exploitationadbhoney honeypotalert aggregationanomalous network connectionsapacheapplication layer protocolapplication scanningaptasiaatif feedattackattacker ipsattacker-ipaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptsauthentication brute forceauthentication failureauthentication-attemptsauto-generated securityautomated attackautomated attacksautomated enumerationautomated reconnaissance activityautomated threatautomated-attackbad reputationbad web botbanlist feedbbcbbc newsbinary defenseblock listblock.txtblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcec2c2 communicationc2 servercensys-benignchinachina mobilecisco asacisco attackcisco attackscisco brute forcecisco devicecisco device attackcisco device attackscisco device targetingcisco exploitcisco exploit attemptcisco exploit attemptscisco exploitationcisco exploitation attemptcisco exploitation attemptscisco vulnerability exploitationcisco-device-targetingcisco_exploitcitrix attack attemptcitrix brute forcecitrix exploitation attemptcitrix exploitation attemptscitrix securityclosecloud infrastructurecloud infrastructure attackcloud servicescode executioncode injectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommon web exploitscommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised hostsconfiguration modificationconnected devicesconpot activityconpot attackconpot attacksconpot emulationconpot exploitationconpot honeypotconpot ics attackconpot interactioncontainer securitycowriecowrie activitycowrie attackcowrie attackscowrie capturecowrie detectioncowrie emulationcowrie honeypotcowrie interactioncowrie interactionscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh loginscowrie_attackcredential accesscredential attackcredential attackscredential brute forcecredential compromisecredential guessingcredential harvestingcredential stuffingcredential-stuffingcredential_accesscron injectionctacurlcvedaily_sourcesdata encryptiondata exfiltrationdata exfiltration attemptdata harvesting attemptsdata store exposuredata theftdatabase activitydatabase attackdatabase attacksdatabase enumerationdatabase exploit attemptsdatabase exploitationdatabase exploitation attemptsdatabase intrusion attemptdatabase login attemptdatabase probingdatabase scandatabase securitydcerpcddosddos attackddos attack indicatorsddos attemptddos preparationddos probeddos probingddospotdecoy systemdenial of servicedenial-of-servicedenial-of-service attemptdevice managementdictionary attackdigital oceandionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea detectiondionaea emulationdionaea honeypotdionaea interactionsdionaea logsdionaea malwaredionaea malware collectiondionaea malware detectiondionaea malware samplesdionaea payloadsdirectory traversaldistributed attacksdnsdns attackdockerdropperelasticpot dataelasticpot honeypotelasticsearchelasticsearch monitoringelephant flowemailencryptionenterprise networkingenterprise securityenumerationeu cyber policieseuropeexecutable fileexfiltrationexploitexploit attemptexploit attemptsexploit kit activityexploit kitsexploit probingexploit public-facing applicationexploit targetingexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploited hostexploitsexternal access attemptsexternal threatextortionfail2ban blocked ipfail2ban triggeredfailed loginfailed login attemptsfattfatt detectionsfatt signaturesfilefin scanfrancefraud voipftpftp activityftp attackftp attacksftp brute forceftp brute-forcegalahgeckoget request abusegithubgluttongopotgroupshackinghellohellpotheralding activityheralding protocol abusehk abusehandlerhoneytrap activityhoneytrap attackhoneytrap datahoneytrap emulationhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp enumerationhttp probinghttp request anomalieshttp scannerhttp scanninghttp/shttpshttps scanninghurricane usicmpics securityics/scadaics/scada attackidentity & access exploitationidsimapimap brute forceindicatorindicators of compromiseindustrial control systemsindustrial iotinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinfrastructure reconnaissanceinitial accessinitial_accessinjection activityinjection attacksintel macinternet of thingsinternet-facinginternet-facing serviceintrusion blockintrusion detectioniociocsiot analyticsiot applicationsiot device attackiot device targetingiot platformsiot securityiot targetediot/ics attackipphoney honeypotipsipv4ipv4 attacksipv4 port scanningipv4 scanningit infrastructurejapankfsensor honeypotkhtmlkibanakill-chain exploitationkill-chain reconnaissanceknown malicious iplamplamp attacklamp attack attemptlamp attackslamp exploitlamp exploit attemptslamp exploitationlamp exploitation attemptslamp server attacklamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetinglamp vulnerability exploitationlamp vulnerability scanlamp_exploitlateral movementlateral movement techniqueslcialfilinuxlinux serverslinux system targetinglinux systemslinux x8664linux-server-attacklinux-server-attackslinux-server-targetinglinux_server_attackslog4potloginlogin attacklogin attemptmail protocol abusemail protocol attacksmail service attackmail service probingmailoney activitymailoney attackmailoney detectionmailoney email spoofingmailoney eventsmailoney honeypotmailoney interactionsmailoney trafficmalicious activitymalicious activity detectedmalicious emailsmalicious file transfermalicious ip listmalicious loginmalicious login attemptsmalicious network activitymalicious payloadmalicious payload attemptsmalicious payload detectionmalicious payload distributionmalicious script executionmalicious sftp activitymalicious sip activitymalicious softwaremalicious ssh activitymalicious trafficmalicious-activitymalicious-login-attemptsmalicious_activitymalwaremalware activitymalware analysismalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware distributionmalware distribution attemptmalware downloadmalware download attemptsmalware droppermalware hostingmalware landingmalware propagationmalware propagation attemptmalware_activitymanualmedium-riskmedpotmobilemobile securitymodule loadingmssqlmssql brute forcemultiple port scanmysql brute forcenetworknetwork activitynetwork attacksnetwork devicesnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service exploitationnetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork_intrusionnetwork_reconnaissancenetwork_services_attacknidsnorth americanull scanoceaniaos command injectionos credential dumpingos fingerprintingos xp0fp0f network fingerprintingp0f os fingerprintingp0f signaturespassword attackpassword attackspassword crackingpassword sprayingpassword-guessingperimeter securitypgp signphishingphishing attackphishing trapphp exploitation attemptsping of deathport-scanningpossible botnet activitypossible botnet communicationpossible exploit attemptpossible exploit attemptspossible malware activitypossible malware distributionpossible malware dropperpossible malware propagationpossible mirai variantpossible reconnaissancepost request abusepotential botnetpotential credential compromisepotential exploit activitypotential exploit attemptpotential exploit attemptspotential intrusionpotential malicious activitypotential malware activitypotential malware deliverypotential malware deploymentpotential malware distributionpotential malware downloadpotential malware infectionpotential vulnerability exploitationprivilege escalationprocess injectionprotocol exploitationprotocol-abuseproxyproxy accesspublicly accessible infrastructurepythonransomwareransomware activityrcerdp attacksrdp scanningreconnaissancereconnaissance activityreconnaissance-activitiesredis exploitationredis honeypotredis honeypot attackredishoneypot activityregional securityremote accessremote access abuseremote access attackremote access attemptsremote code executionremote service exploitationremote servicesreplication attackresearchedresource hijackingrfisanssaslscams & fraudscannerscanner detectionscannersscanning activityscriptscripting attackssecurity operationssensor-taggedsentrypeer activitysentrypeer attacksentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer p2p attackserver exploitationserver securityservice enumerationservice scanservice scanningsftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp exploitationsftp exploitation attemptsftp exploitation attemptssftp probingsftp protocolsftp scanningsftp traffic analysissftp-attacksftp-brute-forcesftp_attacksftp_protocolshell accessshell access attemptshell access attemptssipsip activitysip attackssip brute forcesip enumerationsip probingsip protocolsip scansip scanningsip vulnerability exploitationsip vulnerability scansip vulnerability scanningsip-scanningsip_attacksip_protocolsippslugsmart devicessmb attackssmb brute forcesmb scanningsmtpsmtp attacksmtp attackssmtp brute forcesmtp probesmtp probingsmtp scanningsmtp traffic analysissnaresocial engineeringsoftware developmentsoftware exploitationspainspamspam campaignssql injectionsql injection attemptsql injection attemptssshssh activityssh attackssh attacksssh brute-forcessh key injectionssh monitoringssh protocolssh-brute-forcessh_bruteforcessh_protocolsurface websuricata alertsuricata alertssyn scansystem discoverysystem disruptiont-pott1003t1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1027t1040t1041t1046t1047t1048t1053t1053.005t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1064t1065t1068t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1090t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1202t1203t1204t1204.002t1210t1486t1490t1496t1497t1499.001t1499.002t1499.003t1505.002t1505.004t1550t1550.002t1550.003t1552.001t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1583.001t1587.001t1588t1588.002t1588.004t1588.006t1589t1589.002t1590t1590.001t1590.004t1590.006t1592t1592.002t1593t1595t1595.001t1595.002t1595.003t1598t1600t1608tannertanner activitytanner attacktanner detectiontanner eventstanner incidenttanner interactionstanner web attacktargeting databasetcp protocoltcp scantcp scanningtcp/23telecommunicationstelnet attackstelnet scanningtelnet threattelnet-brute-forcetelnet_protocolthreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedtimeouttop10.txttopips.txttor nodetpottpotcetsecubuntuudp port scanudp scanunattributed activityunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized-access-attemptunited kingdomunited statesunited states of americaunknown threat actorunsolicited emailunusual network trafficusus abuseus ip addressus noneus source ipuser enumerationverified-benignvnc protocolvoipvoip attackvpnvpn ipvulnerability scanvultr cloud infrastructurewafwaf bypasswazuhweb app attackweb application attackweb application attacksweb application scanweb application scanningweb attackweb attacksweb crawling detectionweb exploit attemptweb exploit attemptsweb exploitationweb login attemptweb scannerweb serverweb server attacksweb server exploitationweb server probingweb service probingweb shellweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb-application-attacksweb_attackwgetwindows ntwindows system targetingwordpotxmas scanxss

Activity Timeline

1 total obs
Jun 18Jun 18

Threat Activity Heatmap

· Peak: 2026-06-18
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
77
SIGNAL
Signal Score
77%
Confidence
40
Reports
First seenJan 25, 2022
Last seenJun 18, 2026
GeolocationUS
CountryUnited States
LocationAnn Arbor, Michigan
ASNAS398324
OrgCensys, Inc
Coords42.2780, -83.7408
ProxyVPN

VirusTotal

Not checked

WHOIS

description
Observed on T-Pot within last 24h; sensors=honeytrap, p0f, suricata; threshold?1; private IPs excluded.
raw
NetRange: 167.94.138.0 - 167.94.138.255 CIDR: 167.94.138.0/24 NetName: CENSY NetHandle: NET-167-94-138-0-1 Parent: NET167 (NET-167-0-0-0-0) NetType: Direct Allocation OriginAS: AS398324 Organization: Censys, Inc. (CENSY) RegDate: 2021-09-13 Updated: 2024-03-29 Ref: https://rdap.arin.net/registry/ip/167.94.138.0 OrgName: Censys, Inc. OrgId: CENSY Address: 116 1/2 S Main Street City: Ann Arbor StateProv: MI PostalCode: 48104 Country: US RegDate: 2018-08-06 Updated: 2019-08-03 Comment: https://censys.io Ref: https://rdap.arin.net/registry/entity/CENSY OrgAbuseHandle: CAT20-ARIN OrgAbuseName: Censys Abuse Team OrgAbusePhone: +1-248-629-0125 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/CAT20-ARIN OrgNOCHandle: COT12-ARIN OrgNOCName: Censys Operations Team OrgNOCPhone: +1-248-629-0125 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/COT12-ARIN OrgTechHandle: COT12-ARIN OrgTechName: Censys Operations Team OrgTechPhone: +1-248-629-0125 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/COT12-ARIN
references
https://github.com/telekom-security/tpotce, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://chiraba.com:8443/hourly, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 4 days ago
Appeared in 40 threat reports