IPMediumSignal 87/100

`167.94.146.58`

Location

United States

Frankfurt am Main, Michigan

ASN

AS398705

Censys, Inc.

First Seen

Nov 15, 2021

Last Seen

Jun 18, 2026

Nov 15

First Seen

1685d ago

Jun 18

Last Seen

9d ago

Reports

source reports

87%

Confidence

medium

Found in 47 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

87%

Signal Score

87 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

118 techniques

Network Information

Country

United States

RegionFrankfurt am Main, Michigan

ASNAS398705

OrganizationCensys, Inc.

IP Category

⟲

Proxy

Proxy server

⊕

VPN

VPN exit node

Feed Intelligence Summary

47 reports87% confidence

Source reports

87%

Confidence score

Category tags

abuseaccessaccess controlaccount compromiseaccount takeover attemptackactionactive scanactive scanningadb brute forceadb honeypot interactionadbhoney activityadbhoney attacksadbhoney exploitationadbhoney exploitsadbhoney honeypotadbhoney interactionsagentalertallamerican expressandroid device attacksanomalous network connectionsapacheapache attackerapplication layer protocolaptasiaattackattack preparatoryattacker-ipattempted exploitationaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptsauthentication failureauthentication-attemptsauthentication_failuresautomated attackautomated attacksautomated botnetautomated enumerationautomated reconnaissance activityautomated threatautomated threatsautomated-attackautomated_attackback orifice trafficbad reputationbad web botblacklist ip detectionblock listblock.txtblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebruteforcec2c2 communicationc2 servercanadacensys-benigncertchinachina mobilecins activeciscocisco asacisco asa targetedcisco attackcisco brute forcecisco devicecisco device attackcisco device scanningcisco device targetedcisco device targetingcisco devices targetedcisco exploit attemptcisco exploit attemptscisco exploitationcisco exploitation attemptcisco exploitation attemptscisco network devicescisco targetedcisco_device_attackcisco_exploitcitrix attack attemptcitrix brute forcecitrix exploitation attemptcitrix exploitation attemptscitrix securityclassclosecloud infrastructurecloud infrastructure attackcloud servicecloud servicescode executioncode injectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommon vulnerabilitiescommon web exploitscommunication protocolcompany limitedcompromise attemptcompromised credential attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised hostscompromised system attemptcompromised systemsconfigconnectconnected devicesconpotconpot activityconpot attacksconpot exploitation attemptconpot honeypotconpot ics attackconpot ics exploitationconpot interactionscountcountrycowriecowrie activitycowrie attackscowrie datacowrie detectedcowrie detected activitycowrie detectioncowrie emulationcowrie honeypotcowrie honeypot datacowrie interactioncowrie interactionscowrie logscowrie sshcowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh loginscowrie_attackcredential accesscredential attackcredential attackscredential brute forcecredential brute forcingcredential brute-forcingcredential guessingcredential harvestingcredential stuffingcredential-harvestingcredential-stuffingcredential_accesscredential_stuffingcsscsvcve exploitation attemptcyberattackd-link vulnerabilitydaily_sourcesdasan gpondata encryptiondata exfiltrationdata exfiltration attemptdata harvesting attemptsdata store exposuredata theftdatabase access attemptdatabase activitydatabase attackdatabase attacksdatabase brute forcedatabase enumerationdatabase exploitationdatabase exploitation attemptdatabase intrusion attemptdatabase probingdatabase securitydatabase serverdatabase server attackdatabase_serverddosddos attackddos attemptddos preparationddos probeddos reflectiondedecoy systemdefense evasiondenial of servicedenial-of-servicedenial-of-service attemptdevice managementdhcpdhcp reconnaissancedictionary attackdictionary_attackdigital oceandionaeadionaea activitydionaea attacksdionaea capturedionaea detecteddionaea detectiondionaea exploit attemptsdionaea honeypotdionaea interactionsdionaea malware analysisdionaea malware collectiondionaea malware detectiondionaea malware sampledirectory traversaldistributed attacksdshield blockelasticpot activityelasticpot attackselasticpot detectedelasticpot honeypotelasticsearchelasticsearch monitoringelasticsearch reconnaissanceemailencryptionenterprise networkingenterprise securityentropyenumerationenv-huntinget dropeu cyber policieseuropeeventsexecutable fileexploitexploit attemptexploit attemptsexploit kit activityexploit kitsexploit probingexploit public-facing applicationexploit scanexploit_attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploitation_attemptexploited hostexport-to-otxexternal access attemptsexternal remote servicesexternal scanexternal threatexternal-threatf5 icontrol vulnerabilityfail2ban logsfailed login attemptsfieldfinfin port scanfin scanfinlandfirewall detectionfirewall evasionfrancefraud voipftpftp activityftp attackftp attacksftp brute forceftp brute-forceftp scangalahgeckogermanygithubgpon routersgroupshackinghelloheralding activityheralding probesheralding scanherolding attackshk abusehandlerhoneynet connecthoneypot 24h activityhoneypot detectionhoneytrap activityhoneytrap datahoneytrap honeypothong konghttphttp brute forcehttp exploitationhttp probinghttp request anomalieshttp request anomalyhttp scannerhttp scanninghttp/shttpshttps scanninghuaweihurricane usicmpicsics securityics/scada attackics/scada attacksidentity & access exploitationidsimapimap brute forceindiaindicatorindustrial control systemsindustrial iotinfoinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinfrastructure reconnaissanceinfrastructure scanninginitial accessinitial access activityinitial_accessinitial_access_attemptinjection activityinjection attacksinput validationintel macinternet of thingsinternet-facing serviceinternet-facing servicesinternet-wide scanintrusion detectioniociocsiot analyticsiot applicationsiot device targetingiot exploit attemptsiot exploitationiot platformsiot securityiot targetediot/ics attackiot_attackipphoney activityipphoney dataipphoney honeypotipsipv4ipv4 activityipv4 port scanningipv4 scanningipv4-iocit infrastructureitalyjapanjsonkhtmlknown attacker ipsknown malicious iplamplamp attacklamp attack attemptlamp attackslamp exploitlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server attackslamp server targetlamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability scanlamp_exploitlamp_stack_attacklateral movementlateral movement techniqueslcialdapldap brute forcelfilinuxlinux malwarelinux malware probelinux serverlinux serverslinux systemslinux x8664linux-server-attacklinux-server-attackslinux_server_attackslisted sourceload balancerloginlogin attacklogin attemptlogin attemptslogin brute forcelogin brutinglogin failure analysismail service attackmailoney activitymailoney email spoofingmailoney honeypotmailoney interactionsmailoney trafficmalaysiamalicious activitymalicious activity detectedmalicious emailmalicious email activitymalicious ip activitymalicious ip listmalicious login attemptsmalicious network activitymalicious payloadmalicious payload attemptsmalicious payload detectionmalicious probingmalicious sftp activitymalicious sip activitymalicious softwaremalicious software detectionmalicious ssh activitymalicious ssh loginmalicious trafficmalicious-activitymalicious-login-attemptsmalicious_activitymalwaremalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware deploymentmalware detectionmalware distributionmalware distribution attemptmalware distribution attemptsmalware downloadmalware download attemptmalware download attemptsmalware hostingmalware landingmalware propagationmalware propagation attemptmalware scanningmalware stagingmalware_activitymanualmasscanmassive scanningmemcached reconnaissancemispmobilemobile securitymobile threatmodbus attacksmozi botnetmssqlmssql brute forcemysql brute forcenation-state activitynetgear vulnerabilitynetworknetwork activitynetwork attacksnetwork device attacksnetwork devicesnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork monitoringnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service discoverynetwork service exploitationnetwork service scanningnetwork servicesnetwork traffic analysisnetwork-discoverynetwork_devicenetwork_intrusionnetwork_reconnaissancenetwork_scanningnetwork_services_attacknetworkscanningnginxnmapnorth americantpntp amplification attemptnull port scannull scanobserved malicious activityoceaniaopen port identificationopen proxyopencanaryoperating system detectionoracleoracle brute forceos credential dumpingos fingerprintingos xpassword attackpassword attackspassword crackingpassword cracking attemptspassword sprayingpassword-guessingpassword_guessingpasswords: testpathperimeter securitypgp signphishingphishing attackphishing trapphp exploitphp exploitation attemptsphp injection attemptspingping of deathpolandpoor reputationportport-scanningportscanpossible botnet activitypossible credential stuffingpossible credential theftpossible exploit attemptpossible exploit attemptspossible lateral movementpossible malicious activitypossible malware distributionpossible malware dropperpossible malware heraldingpossible malware probingpossible malware propagationpossible mirai variantpossible reconnaissancepossible vulnerability exploitationpostgresql brute forcepotential botnetpotential botnet activitypotential compromisepotential credential compromisepotential credential stuffingpotential credential theftpotential exploit activitypotential exploit attemptspotential intrusionpotential intrusion attemptpotential lateral movementpotential malicious activitypotential malware activitypotential malware deliverypotential malware deploymentpotential malware distributionpotential reconnaissancepotential vulnerability assessmentprivilege escalationprobingprocess injectionprotoprotocol exploitationprotocol-abuseproxypythonqhoneypot detectionransomwareraspberry-pirealtek sdkreconnaissancereconnaissance activityredisredis brute forceredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredishoneypotredishoneypot activityregional securityremote accessremote access attacksremote access attemptsremote code executionremote service exploitationremote servicesremote_accessremote_access_serviceresearchresearchedresource hijackingrfirouter exploitations7comm attackssansscams & fraudscanscannerscanner activityscanner detectionscannersscanning activityscorescriptscripting attackssecurity operationssecurity policysentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer connectionssentrypeer detectionsentrypeer p2p attacksentrypeer targetingserverserver exploitationserver securityserviceservice enumerationservice scanservice scanningservice version detectionseveresftpsftp abusesftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp exploitationsftp exploitation attemptsftp exploitation attemptssftp intrusion attemptsftp intrusion attemptssftp probingsftp scanningsftp traffic analysissftp-attacksftp_attacksftp_protocolsgmlshellshell access attemptshell access attemptssipsip attackssip brute forcesip enumerationsip heraldingsip probingsip scansip scanningsip vulnerability scansip vulnerability scanningsip_attacksip_protocolslugsmart devicessmb attackssmb brute forcesmb exploitationsmb probingsmb scanningsmtpsmtp brute forcesmtp probesmtp probingsmtp scanningsmtp traffic analysissnmp reconnaissancesocial engineeringsocks5socks5 proxy detectionsocradarsoftware developmentsoftware exploitationsora botnetspainspamsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh brute-forcessh bruteforcessh monitoringssh scanssh-brutessh-brute-forcessh_bruteforcessh_protocolsslsurface websweep scansynsyn port scansyn scansystem accesssystem reconnaissancesystembc botnett-pott1003t1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1021.008t1027t1040t1041t1046t1047t1048t1053t1053.005t1055t1056t1056.001t1059t1059.001t1059.003t1059.004t1059.005t1059.006t1059.007t1064t1065t1068t1070t1071t1071.001t1071.004t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1087.001t1087.002t1087.003t1090t1105t1110t1110.001t1110.002t1110.003t1110.004t1119t1133t1187t1189t1190t1195t1199t1203t1204t1204.002t1210t1213t1486t1496t1497.001t1499.001t1499.002t1499.003t1505.002t1505.004t1547t1550t1550.002t1550.003t1552.001t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1573t1573.001t1583t1583.001t1587.001t1588t1588.002t1588.004t1589t1589.002t1590t1590.001t1590.002t1590.003t1590.004t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003t1600t1608tannertanner activitytanner attackstanner detectedtanner detected activitytanner exploit kittanner honeypot activitytanner incidenttanner interactionstanner web attacktargeting databasetcptcp protocoltcp scantcp scanningtelecommunicationtelecommunicationstelnettelnet attemptstelnet threattelnet-brute-forcetelnet_protocoltextthreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat-intelthreat-intelligencetimeouttokyotop10.txttopips.txttor nodetotal eventstpottpotcetraffic anomalytsecttpstypeubuntuudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized activityunauthorized loginunauthorized login attemptunauthorized login attemptsunauthorized network activityunauthorized probingunauthorized scanningunauthorized-access-attemptunidentified attackerunidentified threat actorunited kingdomunited statesunknown threat actorunusual network activityunusual network trafficusus abuseus ip addressus noneus originuser-agent: testusernames: testvalid accountsvalueverified-benignvncvnc protocolvnc reconnaissancevoipvoip attackvoip systemsvpnvpn ipvulnerability scanvultrvultr-platformwafwaf bypassweak credentialsweb app attackweb application attackweb application attacksweb application probingweb application scanweb application scanningweb attackweb attacksweb brute forceweb crawling detectionweb exploit attemptweb exploitationweb scannerweb serverweb server attacksweb server exploitationweb serversweb shellweb shell attemptweb shell uploadsweb spamweb trafficweb-application-attackweb_applicationweb_attackweb_serverwebscanwebscannerwestpac new zealandwindows malwarewindows ntxmasxmas port scanxmas scanxsszgrab scanner

Activity Timeline

1 total obs

Jun 18Jun 18

Threat Activity Heatmap

· Peak: 2026-06-18

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

30d

Minimal

3mo

Minimal

Threat ScoreHigh Risk

SIGNAL

Signal Score

87%

Confidence

Reports

First seenNov 15, 2021

Last seenJun 18, 2026

GeolocationUS

CountryUnited States

LocationFrankfurt am Main, Michigan

ASNAS398705

OrgCensys, Inc.

Coords42.2780, -83.7408

ProxyVPN

VirusTotal

Not checked

WHOIS

description: IPv4 hosts detected port scanning Vultr Melbourne (Australia) honeypot
raw: NetRange: 167.94.145.0 - 167.94.146.255 CIDR: 167.94.146.0/24, 167.94.145.0/24 NetName: CENSY NetHandle: NET-167-94-145-0-1 Parent: NET167 (NET-167-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Censys, Inc. (CENSY) RegDate: 2021-09-13 Updated: 2023-08-05 Ref: https://rdap.arin.net/registry/ip/167.94.145.0 OrgName: Censys, Inc. OrgId: CENSY Address: 116 1/2 S Main Street City: Ann Arbor StateProv: MI PostalCode: 48104 Country: US RegDate: 2018-08-06 Updated: 2019-08-03 Comment: https://censys.io Ref: https://rdap.arin.net/registry/entity/CENSY OrgTechHandle: COT12-ARIN OrgTechName: Censys Operations Team OrgTechPhone: +1-248-629-0125 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/COT12-ARIN OrgNOCHandle: COT12-ARIN OrgNOCName: Censys Operations Team OrgNOCPhone: +1-248-629-0125 OrgNOCEmail: [email protected] OrgNOCRef: https://rdap.arin.net/registry/entity/COT12-ARIN OrgAbuseHandle: CAT20-ARIN OrgAbuseName: Censys Abuse Team OrgAbusePhone: +1-248-629-0125 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/CAT20-ARIN
references: https://github.com/telekom-security/tpotce, https://feeds.dshield.org/feeds/topips.txt, https://feeds.dshield.org/feeds/top10.txt, https://feeds.dshield.org/feeds/block.txt, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://jamesbrine.com.au/vultrwarsaw-redis-bruteforce-ip-list-2025-08-26/, https://jamesbrine.com.au

`167.94.146.58`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey