IPMediumSignal 58/100

`168.76.20.229`

Location

South Africa

Bloemfontein, Free State

ASN

AS137951

Free State Education Department

First Seen

Apr 9, 2024

Last Seen

Jun 17, 2026

Apr 9

First Seen

803d ago

Jun 17

Last Seen

5d ago

Reports

source reports

58%

Confidence

medium

Found in 23 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

58%

Signal Score

58 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

99 techniques

Network Information

Country

South Africa

RegionBloemfontein, Free State

ASNAS137951

OrganizationFree State Education Department

IP Category

⟲

Proxy

Proxy server

⊕

VPN

VPN exit node

Feed Intelligence Summary

23 reports58% confidence

Source reports

58%

Confidence score

Category tags

abuseaccess controlaccount compromiseackack scanactive reconnaissanceactive scanactive scanningadb_protocoladbhoney activityadbhoney honeypotafricaalaskaand exploitation attemptsandroid device attacksanomalous network connectionsapacheapache attackeraptasiaattackattack preparatoryattacker ipattacker-ipaustraliaauthentication abuseauthentication attacksauthentication attemptsauto-generated securityautomated attackautomated attack attemptsautomated attacksautomated multi-vector probingautomated threatautomated threatsautomated-attackautomated_attackbad reputationbad web botbankingblacklist ipsblacklisted ipblock listblock.txtblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebrute_force_attackc2c2 communicationc2 servercanadachina mobilecisco devicecisco device targetingcisco exploit attemptcisco exploitation attemptcisco exploitation attemptscisco_device_attackcitrix exploitation attemptcitrix exploitation attemptscitrix securitycloud infrastructurecloud infrastructure attackcloud servicescloud_infrastructurecode executioncode injectioncode-injectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommon credential attackcommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised hostcompromised hostscompromised systemsconpot activityconpot honeypotcontainer securitycowriecowrie activitycowrie attackscowrie honeypotcowrie interactionscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcredential accesscredential attackcredential attackscredential brute forcecredential guessingcredential harvestingcredential stuffingcredential-abusecredential-harvestingcredential-stuffingcredential_accesscredential_guessingcredential_stuffingcredit card servicescurldaily_sourcesdata encryptiondata exfiltrationdata exfiltration attemptdata store exposuredata theftdatabase attackdatabase attacksdatabase brute forcedatabase login attemptdatabase probingdatabase securitydatabase_serverdcerpcddosddos attackddos attack indicatorsddos probeddos reflectionddospotdecoy systemdenial of servicedenial-of-service attemptdevice managementdhcpdhcp attackdhcp scanningdictionary attackdictionary_attackdigital oceandigitalocean environmentdionaeadionaea activitydionaea attacksdionaea honeypotdionaea interactionsdionaea malware samplesdionaea payloadsdistributed attacksdnsdns attackdockerelastic search attackelasticpot honeypotelasticsearchelasticsearch brute forceelasticsearch monitoringencryptionenterprise networkingenterprise securityenumerationenv-huntingeuropeexecutable fileexfiltrationexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit targetingexploit_attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploitation_attemptexploited hostexternal access attemptsexternal-scanningexternal_threatextortionfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin scanfinancefinancial servicesfinancial technologyfinlandfrancefraud voipftpftp attackftp attacksftp brute forceftp_protocolgalahgermanygluttongopothackinghellpotheralding activityhkhk abusehandlerhoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp probehttp probinghttp request anomalieshttp scannerhttp scanninghttp/shttp_protocolhttpshttps probehttps scanninghurricane usicmpicsics securityics/scada attacksidentity & access exploitationimapimap attackimap scanningindicatorindustrial control systemsinformation gatheringinfrastructure acquisitionreconnaissanceinitial accessinitial access activityinitial access attemptinitial access vectorinitial-accessinitial_accessinjection activityinjection attacksinternet-facinginternet-facing serviceinternet-wide scanintrusion detectioniociocsiot securityiot targetediot/ics attackiot_attackip-addressipp_protocolipphoney honeypotipv4ipv4 scanningipv4 threatsipv4_activityjapankazakhstankaznetkibanaknown malicious iplamplamp attacklamp exploit attemptlamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server targetinglamp stacklamp stack attacklamp stack targetinglamp_stack_attacklateral movementlateral movement techniquesldapldap attackldap brute forcelinux malwarelinux serverslinux systemslinux-server-attacklinux_server_attackslog4potlogin attemptmailoney activitymailoney attacksmailoney eventsmailoney honeypotmailoney interactionsmalicious activitymalicious activity detectedmalicious emailmalicious file transfermalicious ip activitymalicious login attemptsmalicious network activitymalicious payloadmalicious softwaremalicious trafficmalicious-login-attemptsmalwaremalware activitymalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware downloadmalware download attemptsmalware propagationmalware_activitymalware_distribution_attemptmanualmasscan activitymedpotmemcache attackmemcached brute forcemobile threatmodbus attacksmssqlmssql attackmssql brute forcemysql brute forcenetworknetwork activitynetwork attacksnetwork device attacksnetwork device probingnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork mappingnetwork monitoringnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service discoverynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-attacknetwork-reconnaissancenetwork_devicenetwork_discoverynetwork_reconnaissancenginxnmap scan detectednorth americantpntp attackntp scanningnull scanoceaniaopportunistic attackoracleoracle attackoracle brute forceos fingerprintingp0fp0f fingerprintingp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword sprayingpayment processingperimeter securitypgp signphishingphishing attackphishing trapphp injection attemptsping of deathpolandport-scanport-scanningportscanpossible botnet activitypossible exploit attemptpossible malware distributionpossible malware dropperpossible mirai variantpossible reconnaissance activitypossible vulnerability probingpostgresql brute forcepotential botnet activitypotential exploit attemptspotential exploit targetingpotential intrusionpotential malicious activitypotential reconnaissance activitypotential vulnerability scanprivilege escalationprocess injectionprotocol exploitationprotocol-abuseproxyproxy accessransomwareransomware activityrdp scanningreconnaissancereconnaissance activityredis brute forceredis honeypotremote accessremote code executionremote servicesremote_access_serviceresearchedresource hijackingrtbhs7comm attacksscams & fraudscanscannerscanner ipsscannersscanning activityscheduled taskscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionsserver exploitationserver securityservice detectionservice discoveryservice enumerationservice probingservice scanservice scanningsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp-attacksftp_protocolshell accessshell access attemptsip attackssip brute forcesip scansip scanningsip_protocolsippslugsmb attackssmb brute forcesmb_protocolsmtpsmtp attackssmtp brute forcesmtp probingsmtp scanningsmtp_protocolsnaresocial engineeringsocks5socks5 scanningsocradar honeypotsoftware exploitationsouth africaspamsql injectionsql injection attemptsql injection attemptssql-injectionsshssh attackssh attacksssh monitoringssh-brute-forcessh_protocolstealth scansurface websuricata alertsuricata alertssynsyn scansystem disruptiont-pott1005t1016t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1033t1040t1041t1046t1047t1048t1053t1053.005t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1065t1068t1071t1071.001t1072t1076t1077t1078t1078.001t1078.002t1078.004t1083t1087t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1136.001t1187t1189t1190t1195t1199t1203t1204t1204.002t1210t1486t1490t1496t1499.001t1499.002t1499.003t1505.002t1505.004t1550t1550.002t1550.003t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1583.001t1583.002t1587.001t1588t1588.002t1588.006t1589t1590t1590.001t1590.004t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner exploitstanner honeypottanner interactionstargeting databasetcp protocoltcp scantcp-scanningtcp/80telecommunicationstelnet scanningtelnet threattelnet-brute-forcetelnet_protocolthreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventiontimeouttop10.txttopips.txttor nodetpottpot ceudp port scanudp scanudp-scanningunattributed activityunattributed threat actorunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized-access-attemptunited statesunknown threat actorus abuseus noneus-akvalid accountsvnc protocolvnc scanningvoidtrapvoipvoip attackvoip systemsvpnvpn ipvulnerabilityvulnerability scanvulnerability-scanvultrvultr cloud infrastructurewealth managementweb app attackweb application attackweb application attacksweb application scanweb application scanningweb attackweb attacksweb exploit attemptweb exploitationweb exploitsweb login attemptweb scannerweb server attacksweb server probingweb serversweb service scanningweb shellweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb-attackweb_applicationweb_application_attackweb_attackweb_serverwgetwindows malwarewordpotxmas scanza

Activity Timeline

1 total obs

Jun 17Jun 17

Threat Activity Heatmap

· Peak: 2026-06-17

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

Minimal

30d

Minimal

3mo

Minimal

Threat ScoreMedium Risk

SIGNAL

Signal Score

58%

Confidence

Reports

First seenApr 9, 2024

Last seenJun 17, 2026

GeolocationZA

CountrySouth Africa

LocationBloemfontein, Free State

ASNAS137951

OrgFree State Education Department

Coords-29.0000, 24.0000

ProxyVPN

VirusTotal

Not checked

WHOIS

description: IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
raw: inetnum: 168.76.0.0 - 168.76.255.255 netname: FRENET descr: Free State Education Department descr: P.O. Box 521 descr: Bloemfontein descr: 9300 country: ZA org: ORG-FSED1-AFRINIC admin-c: PHD-AFRINIC tech-c: PHD-AFRINIC status: ASSIGNED PI mnt-by: AFRINIC-HM-MNT mnt-lower: TF-168-76-MNT source: AFRINIC # Filtered parent: 0.0.0.0 - 255.255.255.255 organisation: ORG-FSED1-AFRINIC org-name: Free State Education Department org-type: LIR country: ZA address: P.O. Box 521 address: Bloemfontein address: 9300 address: ZA admin-c: PHD-AFRINIC tech-c: PHD-AFRINIC mnt-ref: AFRINIC-HM-MNT mnt-by: AFRINIC-HM-MNT source: AFRINIC # Filtered person: Hannes Du Plooy address: Orange Free State Dept of Education address: PO Box 521 address: Bloemfontein 9300 address: ZA phone: tel:+27-51-407-4054 nic-hdl: PHD-AFRINIC mnt-by: GENERATED-JLUEGZNF4DVRRWEI0IAWQV2ZWKMFMGXH-MNT source: AFRINIC # Filtered route: 168.76.0.0/16 descr: Freenet origin: AS18013 mnt-by: TF-168-76-MNT source: AFRINIC # Filtered
references: https://github.com/telekom-security/tpotce, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://list.rtbh.com.tr/output.txt, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, https://threats.kz, ip.src.txt

`168.76.20.229`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey