IOC Radar
IPMediumSignal 100/100

172.104.138.223

Location
GermanyGermany
Frankfurt am Main, HE
ASN
AS63949
Linode
First Seen
Jun 17, 2021
Last Seen
Jan 28, 2026
Jun 17
First Seen
1834d ago
Jan 28
Last Seen
148d ago
27
Reports
source reports
99%
Confidence
medium
Found in 27 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
99%
Signal Score
100 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

76 techniques

Network Information

CountryDEGermany
RegionFrankfurt am Main, HE
ASNAS63949
OrganizationLinode

Feed Intelligence Summary

27 reports99% confidence
27
Source reports
99%
Confidence score
Category tags
abuseaccount discoveryackack scanactive scanningapplication layer protocolattackauthenticationauthentication attackauthentication attemptsauthentication failureauto-generated securitybad web botbankingbanner grabbing attemptbotnetbrute forcebrute force attackc2certcivil servicescommand and controlcommon password attackscommunication protocolconnect scancredential accesscredential bruteforcingcredential harvestingcredential stuffingcredit card servicesdata encryptiondata exfiltrationdatabase attacksdatabase securityddosddos attackddos attemptdedecoy systemdenial of servicedictionary attackdirectory traversal probedistributed attacksenumerationenumeration activityeuropeexploit attemptexploit probingexploitationexploited hostexternal network scanexternal scanfinfin port scanfin scanfinancefinancial servicesfinancial technologyfirewall detectionfirewall evasionftpftp brute forcegermanygovernment technologyhttp brute forcehttp scannerhttp scanninghttpshttps scanningicmpids evasionimapimap brute forceindicatorinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinitial accessinjection attacksinternal scanintrusion detectioninvalid login attemptsit infrastructurekfsensor honeypotlateral movementlogin attemptmaimon scanmalicious activitymalicious softwaremalicious trafficmalwaremalware capturemanualmass port scanmass port scanningmass scanningmass scanning activitymasscan activitynetworknetwork attacksnetwork discoverynetwork enumerationnetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork mappingnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnmapnmap scan detectednorth americanull port scannull scanopen port detectionopen port discoveryopen port identificationopen portsos credential dumpingos detectionos fingerprintingpassword attackpassword attackspassword crackingpassword sprayingpayment processingphishing attackpop3 brute forcepossible malware probingpossible reconnaissancepossible reconnaissance activitypossible vulnerability probingpossible vulnerability scanpotential compromisepotential exploit targetingpotential intrusionpotential intrusion attemptpotential reconnaissance activitypotential threatpotential threat activitypotential vulnerability assessmentpotential vulnerability exploitationpotential vulnerability probingprocess injectionprotocol exploitationpublic administrationpublic infrastructurepublic policyreconnaissancereconnaissance activityregulatory agenciesremote accessremote access attemptsremote servicesresearchedrtbhscanscannerscanning activityscripting attackssecurity eventself-signedservice detectionservice discoveryservice enumerationservice version detectionsmb brute forcesmb scanningsmtpsmtp brute forcesocial engineeringsocradarsoftware developmentsql injection attemptsql injection probessh attackstealthstealth scanstealth scan techniquesstealthmode_scanopticon-benignsuspected malicious activitysynsyn port scansyn scansystem discoveryt1003t1016t1016.001t1018t1021t1021.001t1021.002t1021.003t1040t1046t1047t1048t1053t1055t1057t1059t1059.001t1059.003t1059.004t1059.005t1059.006t1059.007t1065t1068t1071t1071.001t1076t1077t1078t1078.002t1078.003t1078.004t1083t1110t1110.001t1110.002t1110.003t1110.004t1133t1134t1187t1189t1190t1203t1204t1210t1213t1486t1496t1499.001t1499.002t1499.003t1539t1562t1563t1565t1566t1566.001t1566.002t1566.003t1583t1583.001t1587.001t1588t1588.002t1589t1589.001t1589.002t1590t1590.001t1590.002t1592t1595t1595.001t1595.002t1595.003targeted scantcp protocoltcp scantcp scanningtelnet threatthreat actorthreat intelligencetortsecudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized activityunauthorized scanningunited statesverified-benignversion detectionweak password attackwealth managementweb application attackweb attackweb exploitationweb scannerweb trafficwindow scanxmasxmas port scanxmas scan

Activity Timeline

1 total obs
Jan 28Jan 28

Threat Activity Heatmap

· Peak: 2026-01-28
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
0
Dormant
3mo
0
Dormant
Threat ScoreHigh Risk
100
SIGNAL
Signal Score
99%
Confidence
27
Reports
First seenJun 17, 2021
Last seenJan 28, 2026
GeolocationDE
CountryGermany
LocationFrankfurt am Main, HE
ASNAS63949
OrgLinode
Coords50.1188, 8.6843

VirusTotal

Not checked

WHOIS

description
HoneyNet Event: 172.104.138.223 connected: 6 times over ports: 13463 Tags: P0f, Honeytrap, Suricata,13463
raw
inetnum: 172.103.96.0 - 172.127.255.255 netname: NON-RIPE-NCC-MANAGED-ADDRESS-BLOCK descr: IPv4 address block not managed by the RIPE NCC remarks: ------------------------------------------------------ remarks: remarks: For registration information, remarks: you can consult the following sources: remarks: remarks: IANA remarks: http://www.iana.org/assignments/ipv4-address-space remarks: http://www.iana.org/assignments/iana-ipv4-special-registry remarks: http://www.iana.org/assignments/ipv4-recovered-address-space remarks: remarks: AFRINIC (Africa) remarks: http://www.afrinic.net/ whois.afrinic.net remarks: remarks: APNIC (Asia Pacific) remarks: http://www.apnic.net/ whois.apnic.net remarks: remarks: ARIN (Northern America) remarks: http://www.arin.net/ whois.arin.net remarks: remarks: LACNIC (Latin America and the Carribean) remarks: http://www.lacnic.net/ whois.lacnic.net remarks: remarks: ------------------------------------------------------ country: EU # Country is really world wide admin-c: IANA1-RIPE tech-c: IANA1-RIPE status: ALLOCATED UNSPECIFIED mnt-by: RIPE-NCC-HM-MNT created: 2022-11-02T13:54:24Z last-modified: 2022-11-02T13:54:24Z source: RIPE role: Internet Assigned Numbers Authority address: see http://www.iana.org. admin-c: IANA1-RIPE tech-c: IANA1-RIPE nic-hdl: IANA1-RIPE remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: RIPE-NCC-MNT created: 1970-01-01T00:00:00Z last-modified: 2001-09-22T09:31:27Z source: RIPE # Filtered
references
https://www.virustotal.com/gui/collection/789999053bd7022e2d79a887a5f959be573ce57d6c4f3165503438fbd5dd9ad5/graph, https://list.rtbh.com.tr/output.txt, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, http://cinsscore.com/list/ci-badguys.txt, https://github.com/telekom-security/tpotce

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 4 months ago
Appeared in 27 threat reports