IOC Radar
IPMediumSignal 73/100

167.94.138.170

Location
United StatesUnited States
Ann Arbor, Michigan
First Seen
Jan 25, 2022
Last Seen
May 22, 2026
Jan 25
First Seen
1601d ago
May 22
Last Seen
24d ago
35
Reports
source reports
73%
Confidence
medium
Found in 35 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
73%
Signal Score
73 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

96 techniques

Network Information

CountryUSUnited States
RegionAnn Arbor, Michigan
OrganizationCensys, Inc

IP Category

Proxy
Proxy server

Feed Intelligence Summary

35 reports73% confidence
35
Source reports
73%
Confidence score
Category tags
abuseaccessaccess controlaccount compromiseactive reconnaissanceactive scanactive scanningadbadb scanningadbhoney activityadbhoney honeypotadbhoney interactionsagentalertapacheapache attackerapplication layer protocolaptasiaatif feedattackattack sourceattacker ipsattacker-ipaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptsauthentication brute forceauthentication failureauto-generated securityautomated attackautomated attacksautomated threatautomated-attackbad reputationbad web botbanlist feedbinary defenseblock listblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebruteforcec2c2 communicationc2 servercensys-benignchina mobilecins activeciscocisco asa targetedcisco attackcisco devicecisco device attackcisco device targetedcisco device targetingcisco exploit attemptcisco exploit attemptscisco exploitationcisco exploitation attemptcisco exploitation attemptscitrix attack attemptcitrix brute forcecitrix exploitation attemptcitrix securitycloud infrastructurecloud infrastructure attackcloud servicescode executioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised host detectioncompromised hostscompromised system attemptconnectconnected devicesconpotconpot activityconpot honeypotconpot ics attackconpot interactionscowriecowrie activitycowrie attackcowrie attackscowrie capturecowrie detectedcowrie honeypotcowrie interactionscowrie sshcowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh interactioncredential accesscredential attackcredential attackscredential brute forcecredential brute-forcingcredential compromisecredential guessingcredential harvestingcredential stuffingcredential-stuffingcredential_accessctacvecve exploitationdata encryptiondata exfiltrationdata exfiltration attemptdata store exposuredata theftdatabase attackdatabase attacksdatabase brute forcedatabase exploitationdatabase probingdatabase securityddosddos attackddos attack activityddos attack indicatorsddos attemptddos preparationddos probedecoy systemdefense evasiondenial of servicedenial-of-servicedevice managementdictionary attackdigital oceandionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea detecteddionaea exploitsdionaea honeypotdionaea interactionsdionaea malware collectiondionaea malware detectiondionaea malware samplesdionaea payloadsdirectory traversaldirectory traversal attemptdistributed attacksdnsdns attackdshield blockelasticpot activityelasticpot detectedelasticpot honeypotelasticsearch monitoringemailencryptionenterprise networkingenterprise securityenumerationet dropeu cyber policieseuropeexfiltrationexploitexploit attemptexploit attemptsexploit kitexploit kit activityexploit probingexploit scanexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploited hostexploitsexposed services exploitationexternal access attemptsfailed loginfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefinlandfrancefraud voipftpftp attackftp attacksftp attemptftp brute forceftp brute-forcegermanygithubgroupshackingheralding activityheralding attackheralding behaviorhigh volume traffichk abusehandlerhoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp exploitationhttp floodhttp probinghttp scannerhttp scanninghttp/shttpshttps scanningicmpics securityics/scadaics/scada attackidentity & access exploitationimapimap attackindicatorindicators of compromiseindustrial control systemsindustrial iotinformation gatheringinfrastructure acquisitionreconnaissanceinitial accessinjection activityinjection attacksinternet of thingsinternet-facinginternet-facing assetsinternet-facing serviceintrusion detectioniociocsiot analyticsiot applicationsiot attackiot device targetingiot exploit attemptsiot platformsiot securityiot targetediot/ics attackipphoney activityipphoney honeypotipv4ipv4 attacksipv4 scanningipv4 threatsjapanknown malicious iplamplamp attacklamp attack attemptlamp attackslamp exploitlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server probelamp server targetinglamp stacklamp stack attacklamp stack exploitationlamp stack targetinglamp vulnerability exploitationlateral movementlateral movement techniqueslcialinuxlinux malwarelinux malware probelinux serverslinux systemslinux-server-attacklinux_server_attackslisted sourceloginlogin attacklogin attemptlogin attemptsmail protocol abusemailoney activitymailoney attacksmailoney email spoofingmailoney eventsmailoney honeypotmailoney interactionsmailoney relatedmalaysiamalicious activitymalicious activity detectedmalicious emailmalicious file transfermalicious login attemptsmalicious network activitymalicious payloadmalicious payload attemptsmalicious payload detectionmalicious softwaremalicious trafficmalicious-login-attemptsmalwaremalware activitymalware analysismalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware distributionmalware distribution attemptmalware downloadmalware download attemptsmalware propagationmalware scanningmalware_activitymanualmelbourne regionmssqlmysql brute forcenetworknetwork activitynetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork layer protocolnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service discoverynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetworkscanningnorth americantp amplificationnull scanoceaniaopen proxyos credential dumpingp0fp0f fingerprintingp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword sprayingperimeter securitypgp signphishingphishing attackphishing trapphp exploitphp injection attemptspingpolandpoor reputationpop3 attackportport-scanningportscanpossible botnet activitypossible credential stuffingpossible exploit attemptpossible exploit probingpossible malicious activitypossible malware distributionpossible malware dropperpossible malware hostingpossible malware propagationpossible mirai variantpotential botnetpotential botnet activitypotential compromisepotential data exfiltrationpotential exploit activitypotential exploit attemptspotential intrusionpotential lateral movementpotential malicious activitypotential malware deliverypotential malware deploymentpotential malware distributionpotential malware infectionpotential malware uploadpotential reconnaissancepotential vulnerability exploitationprivilege escalationprobingprocess injectionprotoprotocol abuseprotocol exploitationprotocol-abuseproxypythonransomwareransomware activityrdprdp attacksrdp scanningreconnaissancereconnaissance activityredis exploitationredis honeypotredishoneypotredishoneypot activityreflection attackregional securityremote accessremote access attacksremote access attemptremote access attemptsremote code executionremote service exploitationremote servicesresearchedresource developmentresource hijackingsansscams & fraudscannerscannersscanning activityscriptscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer p2p attacksentrypeer targetingserver exploitationserver securityservice disruptionservice enumerationservice scanservice scanningsftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp credential attacksftp exploitation attemptssftp intrusion attemptssftp probingsftp protocolsftp scanningsftp-attackshell access attemptssipsip attackssip brute forcesip probingsip protocolsip scansip scanningsip vulnerability exploitationsip vulnerability scanslugsmart devicessmb attackssmb brute forcesmb exploitationsmtpsmtp attacksmtp attackersmtp attackssmtp brute forcesmtp probingsmtp scanningsocial engineeringsocradar honeypotsoftware exploitationspamsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh brute-forcessh monitoringssh protocolssh-brute-forcesurface websuricata alertsuricata alertssynsyn floodsyn scansystem accesssystem discoveryt-pott1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1047t1053t1053.005t1055t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1068t1071t1071.001t1071.004t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204t1204.002t1210t1486t1496t1498t1498.001t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1547t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1583.001t1587.001t1588t1588.002t1589t1589.002t1590t1590.001t1590.004t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner attacktanner detectedtanner eventstanner exploit detectiontanner exploitstanner http honeypottanner interactionstanner web attacktargeting databasetcptcp protocoltcp scantelecommunicationstelnettelnet attackstelnet scanningtelnet threattelnet-brute-forcethreat actorthreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventiontor nodetpottpotcettpsudp port scanudp scanunauthenticated access attemptsunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized probingunauthorized-access-attemptunited statesunited states of americaunknown threat actorusus abuseus ip addressus noneus sourceus source ipvalid accountsverified-benignvncvnc protocolvoipvoip attackvulnerability scanvultrvultr cloud infrastructurevultr infrastructure targetedweb application attackweb application attacksweb application probingweb application scanningweb attackweb attacksweb exploitweb exploit attemptsweb exploitationweb scannerweb serverweb server attackweb server attacksweb server exploitationweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb_attackwebscanwebscannerwindows malwarexmas scan

Activity Timeline

1 total obs
May 22May 22

Threat Activity Heatmap

· Peak: 2026-05-22
Less
More
Mon
Wed
Fri
Jun
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
73
SIGNAL
Signal Score
73%
Confidence
35
Reports
First seenJan 25, 2022
Last seenMay 22, 2026
GeolocationUS
CountryUnited States
LocationAnn Arbor, Michigan
OrgCensys, Inc
Coords42.2809, -83.7489
Proxy

VirusTotal

Not checked

WHOIS

description
Observed on T-Pot within last 24h; sensors=honeytrap, p0f, suricata; threshold?1; private IPs excluded.
raw
NetRange: 167.94.138.0 - 167.94.138.255 CIDR: 167.94.138.0/24 NetName: CENSY NetHandle: NET-167-94-138-0-1 Parent: NET167 (NET-167-0-0-0-0) NetType: Direct Allocation OriginAS: AS398324 Organization: Censys, Inc. (CENSY) RegDate: 2021-09-13 Updated: 2024-03-29 Ref: https://rdap.arin.net/registry/ip/167.94.138.0 OrgName: Censys, Inc. OrgId: CENSY Address: 116 1/2 S Main Street City: Ann Arbor StateProv: MI PostalCode: 48104 Country: US RegDate: 2018-08-06 Updated: 2019-08-03 Comment: https://censys.io Ref: https://rdap.arin.net/registry/entity/CENSY OrgTechHandle: COT12-ARIN OrgTechName: Censys Operations Team OrgTechPhone: +1-248-629-0125 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/COT12-ARIN OrgAbuseHandle: CAT20-ARIN OrgAbuseName: Censys Abuse Team OrgAbusePhone: +1-248-629-0125 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/CAT20-ARIN OrgNOCHandle: COT12-ARIN OrgNOCName: Censys Operations Team OrgNOCPhone: +1-248-629-0125 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/COT12-ARIN
references
https://github.com/telekom-security/tpotce, https://blocklist.greensnow.co/greensnow.txt, https://www.binarydefense.com/banlist.txt, https://lists.blocklist.de/lists/all.txt, https://rules.emergingthreats.net/blockrules/compromised-ips.txt

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 4 years ago · Last seen 24 days ago
Appeared in 35 threat reports