IPMediumSignal 70/100
185.247.137.121
Location
United KingdomManchester, Bursa
ASN
AS211298
Constantine Cybersecurity LTD
First Seen
Dec 14, 2024
Last Seen
May 31, 2026
Found in 30 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
70%
Signal Score
70 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited Kingdom
United KingdomRegionManchester, Bursa
ASNAS211298
OrganizationConstantine Cybersecurity LTD
IP Category
⊕
VPN
VPN exit node
Feed Intelligence Summary
30 reports70% confidence
30
Source reports
70%
Confidence score
Category tags
abuseaccessaccount compromiseactive scanactive scanningadbhoney activityadbhoney honeypotaptasiaatif feedattackaustraliaauthentication abuseauthentication attackauthentication brute forceauthentication failureauto-generated securitybad reputationbad web botbanlist feedbeningbening scannerbinary defenseblacklisted ipblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attemptsbrute-forcec&cc2cisco devicecisco exploitation attemptscloud infrastructurecloud infrastructure attackcloud servicescommand & controlcommand and controlcommand executioncommunication protocolcompromised credentialscompromised hostcompromised system attemptconpot activityconpot honeypotconpot ics attackconpot ics attacksconpot ics exploitationcowriecowrie activitycowrie emulationcowrie honeypotcowrie ssh attackcowrie ssh attackscowrie ssh honeypotcredential accesscredential harvestingcredential stuffingctadata exfiltrationdata exfiltration attemptdata store exposuredatabase attackdatabase securityddosddos attackdecoy systemdenial of servicedevice managementdigital oceandionaeadionaea activitydionaea attackdionaea capturedionaea honeypotdionaea malware analysisdionaea malware collectiondionaea malware detectiondistributed attacksdriftnet-benignelasticpot attackselasticpot honeypotelasticsearch monitoringemailenterprise networkingeuropeeurope/asiaexploitexploit probingexploitationexploitation activityexploited hostexternal remote servicesfattfinlandfrancefraud voipftpftp brute forceftp brute-forcegbgermanygithubgroupshackingheralding activityheralding probeshoneynet connecthoneytrap honeypothttp brute forcehttp scannerhttp/sics securityidentity & access exploitationindicatorindustrial control systemsinfrastructure acquisitionreconnaissanceinitial accessinitiator ipinjection activityinjection attacksinternet_measurement-benignintrusion detectioniot securityiot targetediot/ics attackkill-chain exploitationkill-chain reconnaissancelamplamp exploit attemptslamp exploitation attemptslamp server attacklamp server targetinglamp stack attackslamp stack targetinglateral movementlinux serverlogin attemptlow-riskmailoney activitymailoney email attacksmailoney email spoofingmailoney honeypotmalaysiamalicious activitymalicious ip detectedmalicious payload detectionmalicious python scriptsmalicious softwaremalicious software detectionmalicious trafficmalwaremalware behaviourmalware capturemalware distributionmalware hostingmanualnetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork trafficnorth americaoceaniaopenctiosintp0fpassword attackpassword attackspassword sprayingphishingphishing attackphishing trapping of deathpolandportscanpotential credential theftpotential malicious activityprocess injectionprotocol exploitationpublicly accessible infrastructurepythonransomwarereconnaissanceredisredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityredishoneypot activityremote accessremote servicesresearchedresource hijackingsansscams & fraudscannerscannersscanning activityscriptscripting attackssecurity operationssensor-taggedsentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer p2p attackserver exploitationservice scansftpsftp access attemptsftp access attemptssftp activitysftp attacksftp exploitationsftp intrusion attemptsftp scanningsipsip attackssip brute forcesip enumerationsip scanningsip vulnerability scanningslugsmb brute forcesmtpsmtp brute forcesocial engineeringsocradar honeypotspamsql injectionsshssh attackssh monitoringsurface websystem accesst1003t1005t1016t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1036t1040t1041t1046t1053t1053.005t1055t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1068t1071t1071.001t1076t1078t1078.003t1078.004t1083t1110t1110.001t1110.002t1110.003t1110.004t1133t1189t1190t1203t1204t1204.002t1210t1486t1496t1497t1499.001t1499.002t1499.003t1505.002t1505.004t1550.003t1555t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1583t1583.001t1587.001t1589t1590t1590.001t1592t1595t1595.001t1595.002t1595.003tannertanner activitytanner exploit kittanner honeypot activitytanner web attacktargeting databasetcp protocoltcp scantcp/3306telecommunicationstelnet threatthreat actorthreat detectionthreat intelligencetor nodetpottrturkeyudp scanunauthorized accessunauthorized access attemptunauthorized loginunited kingdomunited kingdom of great britain and northern irelandunited statesus ip addressus source ipvalid accountsverified-benignvoipvoip attackvpnvpn ipvulnerability scanvulnerability-exploitationweb app attackweb application attackweb application probingweb attackweb exploitweb exploitationweb spamweb traffic
Activity Timeline
May 31May 31
Threat Activity Heatmap
· Peak: 2026-05-31LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
70
SIGNAL
Signal Score
70%
Confidence
30
Reports
First seenDec 14, 2024
Last seenMay 31, 2026
GeolocationGB
CountryUnited Kingdom
LocationManchester, Bursa
ASNAS211298
OrgConstantine Cybersecurity LTD
Coords40.2024, 29.0398
VPN
VirusTotal
Not checked
WHOIS
- description
- Score: 85/100. Labels: abuseipdb:brute-force, abuseipdb:critical, abuseipdb:ddos, abuseipdb:exploited-host, abuseipdb:ftp-brute, abuseipdb:hacking. 185.247.137.121 classified as automated brute-force attacker targeting SSH/Telnet credentials (high confidence). Origin: enriched. Listed on: FireHOL (firehol_level2); AbuseIPDB (brute-force, critical, ddos).
- raw
- inetnum: 185.247.137.0 - 185.247.137.127 netname: DRIFTNET-IPV4-E remarks: +----------------------------------------------------------- remarks: | This IP range is not attacking your network. remarks: | Visit https://internet-measurement.com for more details. remarks: | View data collected at https://driftnet.io. remarks: +----------------------------------------------------------- country: GB admin-c: DH9005-RIPE tech-c: DH9005-RIPE abuse-c: DH9005-RIPE status: LIR-PARTITIONED PA mnt-by: lir-uk-driftnet-1-MNT created: 2024-11-27T15:39:03Z last-modified: 2024-12-09T15:47:02Z source: RIPE # Filtered role: Driftnet Hostmaster address: Unit 72465, PO Box 6945 address: W1A 6US address: London address: UNITED KINGDOM phone: +442037450350 abuse-mailbox: [email protected] nic-hdl: DH9005-RIPE mnt-by: lir-uk-driftnet-1-MNT created: 2024-10-30T18:00:18Z last-modified: 2024-10-31T10:49:52Z source: RIPE # Filtered route: 185.247.137.0/24 origin: AS211298 mnt-by: lir-uk-driftnet-1-MNT created: 2024-11-27T15:33:43Z last-modified: 2024-11-28T11:34:21Z source: RIPE
- references
- https://github.com/telekom-security/tpotce, https://malware-filter.gitlab.io/malware-filter/botnet-filter.txt, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt, https://blocklist.greensnow.co/greensnow.txt, https://www.binarydefense.com/banlist.txt, https://lists.blocklist.de/lists/all.txt, https://rules.emergingthreats.net/blockrules/compromised-ips.txt
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 1 year ago · Last seen 15 days ago
Appeared in 30 threat reports