IPMediumSignal 58/100
205.210.31.94
Location
United StatesSanta Clara, California
ASN
AS396982
Palo Alto Networks, Inc
First Seen
Apr 17, 2023
Last Seen
Jun 19, 2026
Found in 35 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
58%
Signal Score
58 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionSanta Clara, California
ASNAS396982
OrganizationPalo Alto Networks, Inc
IP Category
⟲
Proxy
Proxy server
Feed Intelligence Summary
35 reports58% confidence
35
Source reports
58%
Confidence score
Category tags
29 ip addresses30 ip addresses36 ip addresses43 ip addresses45 ip addresses47 ip addresses50 ip addresses50_iocsabuseabused ssl certificateabuseipdbaccessaccess attemptsaccess controlaccount compromiseaccount discoveryaccount securityack scanactive reconnaissanceactive scanactive scanningadbadb attacksadb exploitadb protocoladb scanadbhoney activityadbhoney exploitationadbhoney honeypotadbhoney interactionsadministrative accessafricaaisurualibaba cloudalibaba cloud hostingalienvault_ransomwareamerican expressand de ipsand exploitation attemptsandroid devicesanomalous activityanomalous behavioranomalous ipanomalous network activityanomalous trafficanomaly detectionapacheapache attackerapplication layer attacksapplication layer protocolapplication scanningapplication_layer_protocolaptapt activityapt simulationargentinaas path poisoningasaasiaasyncratasyncrat activity detectedatif feedattackattack originattack origin brazilattack origin usaattack preparatoryattack sourceattack source: brazilattack source: germanyattack surface discoveryattacker ipsattacker-ipaustraliaaustriaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptauthentication attemptsauthentication failureauthentication_failuresauto blockedauto blocked ipauto blocked ipsauto-blockedauto-blocked ipauto-blocked ipsauto-generatedauto-generated securityautomated analysisautomated attackautomated attacksautomated blockingautomated enumerationautomated executionautomated mitigationautomated reconnaissance activityautomated scanautomated scanningautomated threatautomated threat responseautomated-attackautomated_attackaverage bde: 80azerbaijanbad actor scorebad reputationbad web botbangladeshbanlist feedbde 80bde 80+bde 81bde scorebde score 80bde score 80+bde score 81bde score 82bde score alertbde score analysisbde score assessmentbde score highbde score: 80bde score: highbde: 80bde:80bde_scorebde_score_80beaconbeaconing activitybehavioral analysisbelgiumbgpbinary defenseblacklist candidateblacklist ipblacklisted ipblacklisted ipsblock listblockedblocked ipsblocklist updateblocklist_allblog spambolivarian republic ofbotnetbotnet activitybr activitybr ip addressbr ip addressesbr originbrasilbrazilbrazil infrastructurebrazil ipbrazil ip addressesbrazil ipsbrazil originbrazil originating ipbrazil originating trafficbrazil trafficbrazil_originbrazilian ipsbrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute force detectionbrute force potentialbrute force targetbrute-forcebrute-force attackbrute-force-attackbrute_forcebrute_force_attackbrute_force_attemptbrute_force_attemptsbruteforcebulgariac2c2 activityc2 channelc2 channelsc2 communicationc2 communication detectedc2 communicationsc2 frameworkc2 indicatorsc2 infrastructurec2 serverc2 trafficca ipca ip addressca ip addressesca ipsca origincambodiacanadacanada ipcanada ip addresscanada ip addressescanada ipscanada origincanada originating activitycanada originating attackscanada originating ipcanada originating ipscanada-based threatscanadian ipcanadian ipscanadian origin ipschilechinachina ip addresschina ip addresseschina ipschina mobilechina originchina originating activitychina originating ipchina originating ipschina-based activitychina-based ipschina-based threatschinese ipchinese ip addresscisco asacisco attackcisco devicecisco device attackcisco device attackscisco device targetingcisco exploit attemptcisco exploit attemptscisco exploitationcisco exploitation attemptcisco exploitation attemptscitrix brute forcecitrix exploitation attemptcitrix exploitation attemptscitrix securityclearfake c2clearfake c2 activityclearfake phishing campaignclient execution vulnerabilitiesclosecloud environmentcloud infrastructurecloud infrastructure attackcloud providercloud service ipscloud servicescobaltcobalt groupcobalt strikecobalt strike detectioncode executioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommand-line interfacecommon attack vectorscommunication channelcommunication controlcommunication protocolcommunication protocolscommunication technologiescommunity managementcompany limitedcompromise assessmentcompromise assessment requiredcompromise attemptcompromise indicatorscompromised credentialscompromised credentials attemptcompromised hostcompromised host communicationcompromised host detectioncompromised hostscompromised hosts indicatorscompromised infrastructurecompromised infrastructure activitycompromised systemcompromised systemscompromised websitescompromised_infrastructureconnectconnect scanconnected devicesconnection anomalyconnection attemptsconnection proxyconnection refusedconpotconpot activityconpot attackconpot exploitationconpot honeypotconpot ics attacksconpot ics exploitationconpot interactionconpot interactionscontainer securitycontent sharingcoordinated attackcore network compromisecosta ricacowriecowrie activitycowrie attackcowrie attackscowrie capturecowrie datacowrie detectedcowrie emulationcowrie honeypotcowrie honeypot detectioncowrie interactioncowrie interactionscowrie login attemptscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcredential accesscredential attackcredential attackscredential brute forcecredential brute forcingcredential brute-forcingcredential compromisecredential dumpingcredential guessingcredential harvestingcredential stealercredential stuffingcredential theftcredential-accesscredential-attackcredential-stuffingcredential_accesscredential_stuffingcredentialaccesscurlcvedanish ipsdata center ipsdata communicationdata encodingdata encryptiondata exfiltrationdata exfiltration attemptdata exfiltration attemptsdata exfiltration potentialdata harvesting attemptsdata interceptiondata serializationdata store exposuredata theftdata transferdatabase attackdatabase attacksdatabase brute forcedatabase exploitationdatabase exploitation attemptsdatabase intrusion attemptdatabase login attemptdatabase probingdatabase scandatabase securitydatabase serversdcerpcdcom exploitationddosddos activityddos attackddos attack activityddos attacksddos attemptddos prepddos preparationddos probeddos probingddospotde activityde ipde ip addressde ip addressesde ipsde originde originating ipdecoy systemdefense evasiondeimosc2deimosc2 communication detecteddenial of servicedenial-of-servicedenmarkdenmark ipdenmark ip addressdenmark ip addressesdenmark ipsdenmark origindenmark origin ipsdenmark originating activitydenmark originating attacksdenmark originating ipdenmark originating ipsdenmark-based threatsdevice managementdictionary attackdigital oceandigital platformsdigitalocean ipdigitalocean ipsdigitalocean platformdionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea detecteddionaea honeypotdionaea interactionsdionaea malware analysisdionaea malware collectiondionaea malware samplesdionaea payloadsdirectory traversaldirectory traversal attemptdiscovery phasedistributed attackdistributed attack patterndistributed attack sourcedistributed attacksdistributed infrastructuredk ipdk ip addressesdk ipsdk origindll injectiondnp3dnsdns attackdockerdominican republicdosdrive-by compromisedropperdugganusa threat inteldugganusa threat intelligenceedge communicationelasticpot activityelasticpot attackselasticpot detectedelasticpot honeypotelasticsearchelasticsearch monitoringemailemailattackemerging threatemerging threat actoremerging threatsencryptionenhanced detection measuresenterprise networkingenterprise securityenumerationethernet/ipeu cyber policieseuropeeurope/asiaevasion tacticsevolving tacticsexfiltrationexploitexploit attemptexploit attemptsexploit kitexploit kit activityexploit probingexploit public-facing applicationexploit targetingexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploited hostexternal access attemptsexternal attackexternal communicationexternal networkexternal reconnaissanceexternal remote servicesexternal scanexternal scanningexternal servicesexternal threatexternal threat actorexternal-threatexternal_threatextortionfail2ban alertfailed login attemptsfailed loginsfattfatt analysisfatt detectionsfatt signaturesfilefinfin port scanfin scanfinlandfrancefraud voipftpftp attackftp attacksftp brute forceftp brute-forceftp scanftp scanningftp_bruteforcegalahgeckogeneric exploitgeo-distributed activitygeo-distributed attackgeo-distributed attacksgeo-located ipsgeo-locationgeographic anomalygeographic blockinggeographic distributiongeographic diversitygeographic locationgeographic origingeographic sourcegeographic source: canadageographic source: denmarkgeographic source: germanygeographic source: romaniageographic source: singaporegeographic source: usgeographic targetinggeographic threat sourcegeographical spreadgeographically dispersed attackgeographically distributedgeographically diversegeographically diverse attacksgeographically diverse ipsgeographically diverse threatsgeoipgeolocated attackgeolocated attack sourcegeolocated attacksgerman-based threat actorgermanygermany-based activitygermany-based ipsgermany-based threatsgermany_originghost ratgithubglobal distributionglobal threat activityglobal threat landscapegluttongopotgroupshackinghellohellpotheralding activityheralding attacksheralding probeshigh abuse scorehigh activity levelhigh bdehigh bde indicatorhigh bde scorehigh confidencehigh confidence detectionhigh confidence indicatorshigh confidence threathigh riskhigh risk indicatorhigh risk iphigh risk ipshigh risk scorehigh severityhigh suspicionhigh threat levelhigh threat likelihoodhigh threat potentialhigh threat scorehk abusehandlerhk ip addresseshoneynet connecthoneypot datahoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghong kong ipshong kong-based ipshttp attackhttp brute forcehttp probehttp probinghttp scanhttp scannerhttp scanninghttp/shttp_bruteforcehttpshttps probehttps scanninghuaweiicelandicmpics attacksics securityics/scadaics/scada attackics/scada attacksics/scada systemsidentity & access exploitationimapimap attackinbound scaninbound trafficindiaindicatorindicators of compromiseindonesiaindustrial control systemsindustrial iotinfiltrationinformation gatheringinformation stealerinformation technologyinfostealerinfrastructure acquisitionreconnaissanceinfrastructure reconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial access activityinitial access attemptinitial access attemptsinitial_access_attemptinjection activityinjection attacksinput captureintel macinter-as route manipulationinternal scaninternet facing systemsinternet of thingsinternet-facinginternet-facing assetsinternet-facing serviceinternet-scanninginternet-wide scaninternet_scanintrusion attemptintrusion detectioninvalid credentialsiociocsiocs presentiocs: 29 ipsiocs: 34 ipsiocs: 39 ipsiocs: 50 ipsiocs: ip addressiocs: ip addressesiocs:ipiot analyticsiot applicationsiot attackiot attacksiot botnetiot device targetingiot exploit attemptsiot exploitationiot platformsiot securityiot systemsiot targetediot/ics attackip-addressesip-based threatip-onlyipmi scanipphoney honeypotipv4ipv4 activityipv4 addressesipv4 attacksipv4 port scanningipv4 scanningipv4 threatsipv4-iocipv4-scanningipv4_addressipv6iraqirelandisraelit infrastructureitalyjamaicajapanjarm fingerprintskenyakhtmlkibanaknown attack vectorsknown malicious ipknown malicious ipskoreakorea, republic ofkyrgyzstanlamplamp attacklamp attackslamp exploitlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptslamp server attacklamp server targetlamp stacklamp stack attacklamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability exploitationlamp vulnerability scanlateral movementlateral movement detectionlateral movement potentiallateral movement techniqueslateral network movementlateral spreadlateral_movement_reconnaissancelcialebanonliechtensteinlinuxlinux malwarelinux serverslinux system targetinglinux systemslinux x8664linux-server-attacklinux_server_attackslithuanialoaderlog analysislog4potloginlogin attacklogin attackslogin attemptlogin attemptslogin brute forcelogin failurelogin_attemptlte triallumma stealermail protocol abusemailoney activitymailoney attackmailoney attacksmailoney email attacksmailoney eventsmailoney honeypotmailoney interactionsmalaysiamalicious activitymalicious activity detectedmalicious activity detectionmalicious adb activitymalicious code detectionmalicious communicationmalicious domainmalicious domainsmalicious emailmalicious email activitymalicious file transfermalicious hashmalicious hostmalicious hostingmalicious hosting providermalicious indicatorsmalicious infrastructuremalicious ip activitymalicious ip addressesmalicious ip detectedmalicious ip listmalicious ipsmalicious ipv4malicious ispmalicious linksmalicious login attemptsmalicious network activitymalicious network communicationmalicious network trafficmalicious payloadmalicious payload attemptmalicious payload detectionmalicious powershell activitymalicious python scriptsmalicious scanmalicious sftp activitymalicious sip activitymalicious softwaremalicious sourcemalicious ssh activitymalicious sslmalicious trafficmalicious-activitymalicious-login-attemptsmalicious-scanmalicious-trafficmalicious_activitymalicious_ipmalwaremalware activitymalware analysismalware attemptmalware beaconingmalware behaviourmalware c2malware c2 communicationmalware campaignmalware capturemalware commandmalware communicationmalware deliverymalware delivery attemptmalware detectionmalware distributionmalware distribution attemptmalware distribution attemptsmalware distribution potentialmalware downloadmalware download attemptmalware download attemptsmalware familymalware frameworksmalware hostingmalware indicatorsmalware infection indicatorsmalware landingmalware payloadmalware propagationmalware relatedmalware related activitymalware scanningmalware trafficmalware_activitymalware_indicatorsmalware_propagationmanualmass-scanningmasscanmedpotmelbourne regionmeterpretermeterpreter frameworkmexicomicrosoft technologiesmirai botnetmobilemobile carriersmobile networksmobile securitymobile threatmodbusmodbus protocolmongoliamonthlymoroccomssqlmulti-country activitymulti-country attackmulti-country originmulti-location attackmulti-national activitymulti-national attackmulti-national originmulti-national source ipsmulti-originating ipsmulti-protocol network scanningmulti-regionmulti-region activitymulti-regionalmulti-regional originmultiple countriesmultiple countries affectedmultiple countries originmultiple countries: usmultiple failed loginsmultiple geographic locationsmultiple geographic originsmultiple geolocationmultiple geolocation originsmultiple geolocation sourcesmultiple ip originsmultiple login failuresmultiple origin countriesmultiple originsmultiple regionsmysql brute forcenation-state activitynepalnetherlandsnetworknetwork activitynetwork analysisnetwork anomaliesnetwork anomalynetwork anomaly detectionnetwork attacksnetwork behaviornetwork behavior analysisnetwork communicationnetwork communication anomaliesnetwork compromisenetwork device attacksnetwork devicesnetwork discoverynetwork enumerationnetwork exploitationnetwork infrastructurenetwork infrastructure attacknetwork intrusionnetwork intrusion activitynetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork intrusionsnetwork intrusions detectednetwork mappingnetwork monitoringnetwork monitoring requirednetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork reconnaissance activitynetwork reconnaissance detectednetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork security monitoringnetwork service discoverynetwork service scanningnetwork service targetingnetwork servicesnetwork threatnetwork threat activitynetwork trafficnetwork traffic analysisnetwork-based attack attemptsnetwork-devicesnetwork-discoverynetwork-intrusionnetwork-reconnaissancenetwork_activitynetwork_discoverynetwork_enumerationnetwork_intrusionnetwork_reconnetwork_reconnaissancenetwork_scannetwork_scanningnetwork_services_attacknetwork_traffic_analysisnetworkscanningnew zealandnigerianmapno c2 detectedno c2 frameworkno known c2north americanorwaynull port scannull scanoceaniaopen port detectionopen port discoveryopen portsopen proxyopen_port_discoveryoperating systemoperating system securityopportunistic attacksopportunistic threatoriginating countries: bros credential dumpingos detectionos fingerprintingos xot attacksotx pulseoutbound connectionsoutbound trafficp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespaloaltonetwors_com-benignpanamaparaguaypassword attackpassword attackspassword sprayingpassword-guessingpassword_guessingperimeter securitypersistence mechanismspgp signphilippinesphishingphishing attackphishing campaignphishing potentialphishing trapphp injection attemptsping of deathplay ransomwarepolandpop3 attackport-scanport-scanningportscanpossible attack originpossible backdoor activitypossible botnetpossible botnet activitypossible brute forcepossible c2possible c2 activitypossible c2 communicationpossible compromisepossible coordinated attackpossible credential accesspossible credential compromisepossible data exfiltrationpossible exfiltrationpossible exploit attemptpossible exploit attemptspossible exploitationpossible infectionpossible initial accesspossible intrusionpossible lateral movementpossible malicious activitypossible malwarepossible malware activitypossible malware beaconingpossible malware distributionpossible malware dropperpossible malware infectionpossible malware probingpossible malware propagationpossible mirai variantpossible phishing activitypossible port scanningpossible reconnaissancepossible threat actorpossible threat actorspossible vulnerability probingpossible vulnerability scanningpost exploitationpost-exploitationpost-exploitation activitypotential adversarial activitypotential apt activitypotential attack originpotential botnetpotential botnet activitypotential brute forcepotential c2potential c2 activitypotential compromisepotential coordinationpotential credential accesspotential credential compromisepotential data breachpotential data exfiltrationpotential evasion tacticspotential exploitpotential exploit activitypotential exploit attemptspotential exploitationpotential infiltrationpotential initial accesspotential intrusionpotential intrusion activitypotential intrusion attemptpotential lateral movementpotential malicious activitypotential malwarepotential malware activitypotential malware c2potential malware communicationpotential malware deliverypotential malware deploymentpotential malware distributionpotential malware infectionpotential network compromisepotential network intrusionpotential network reconnaissancepotential port scanningpotential reconnaissancepotential reconnaissance activitypotential remote accesspotential state-sponsored threatpotential threatpotential threat activitypotential threat actorpotential threat actorspotential vulnerability assessmentpotential vulnerability exploitationpotential vulnerability probingpotential vulnerability scanpotential_intrusionpotentially malicious activitypowershell abusepowershell abuse potentialpre-attackpreparatory activityprivilege escalationprocess id 2356process id 2812process injectionprotocol abuseprotocol exploitationprotocol-abuseproxyproxy accessproxy protocolpublic-facing application exploitationpythonqatarquasar ratransomwareransomware precursorratrdp attacksrdp scanrdp scanningreconreconnaissancereconnaissance activitiesreconnaissance activityreconnaissance activity detectedredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityredis honeypot attacksredishoneypot activityregional securityremcos trojanremote accessremote access attackremote access attemptremote access attemptsremote access serviceremote access toolremote access toolsremote access trojanremote file accessremote file copyremote serviceremote service exploitationremote service interactionremote servicesremote system discoveryremote_accessrepublic ofreputation parasitismreputation-based blockingresearchedresource developmentresource hijackingro ip addressesro originromaniaromania ipromania ip addressromania ip addressesromania ipsromania originromania originating activityromania originating attacksromania originating ipromania originating ipsromania-based threatsromanian ipromanian ipsromanian origin ipsrouting protocolrpcrussiarussian federations7comms7comm protocolsansscada/ics attacksscams & fraudscanscannerscanner detectionscanner ipscannersscanning activityscanning and reconnaissancescanning_activityscriptscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attacksentrypeer attackssentrypeer botnetsentrypeer datasentrypeer detectionsentrypeer eventssentrypeer interactionsserbiaserver exploitationserver securityservice detectionservice discoveryservice enumerationservice exploitation attemptsservice probingservice scanservice scanningservice version detectionservice-discoveryservice_enumerationsftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp exploitationsftp exploitation attemptsftp exploitation attemptssftp intrusion attemptsftp probingsftp protocolsftp scanningsftp-attacksftp_protocolshell accessshell access attemptshell access attemptssingaporesingapore ipsingapore ip addresssingapore ip addressessingapore ipssingapore originsingapore origin ipssingapore originating activitysingapore originating attackssingapore originating ipsingapore originating ipssingapore-based activitysingapore-based ipssingapore-based threatssingapore_originsingaporean ipssipsip attackssip brute forcesip probingsip protocolsip scanningsip vulnerability scansip_protocolsippslugsmart devicessmb attackssmb brute forcesmb scanningsmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scansmtp scanningsnaresocial analyticssocial engineeringsocial mediasocial media marketingsocial media securitysocial networkingsoftware developmentsoftware exploitationsouth africasouth americaspainspamspam campaignsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh monitoringssh protocolssh scanssh scanningssh-brute-forcessh_bruteforcessh_protocolsslssl certificatessl certificate analysisssl certificate enrichmentssl certificate validationssl certificate verificationssl certificatesssl enrichmentssl-enrichmentssl/tlsssl_analysisstealcstealer c2stealth scanstrelastealersurface websuricata alertsuricata alertssuspected brute forcesuspected compromisesuspected intrusionsuspected malicious activitysuspected port scanningsuspected reconnaissancesuspected threat actorssuspected_attackswedensynsyn port scansyn scansyrian arab republicsystem discoverysystem disruptionsystem exploitationt-pott1003t1005t1016t1016.001t1018t1020t1021t1021 remote servicest1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021: remote servicest1027t1036t1040t1041t1043t1046t1047t1048t1049t1053t1055t1056t1056.001t1057t1059t1059.001t1059.003t1059.004t1059.005t1059.006t1059.007t1059.008t1064t1068t1069t1069.001t1071t1071 indicatorst1071.001t1071.002t1071.004t1075t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1080t1082t1083t1086t1087t1088t1090t1090.001t1090.003t1095t1102t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1134t1140t1187t1189t1190t1195t1195.002t1199t1202t1203t1204t1204.001t1204.002t1210t1213t1213.002t1218t1219t1486t1490t1496t1497t1498t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1547.001t1550t1550.002t1550.003t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1567t1568t1568.002t1569t1569.002t1570t1571t1572t1573t1573.001t1573.002t1583t1583.001t1584t1587.001t1588t1588.002t1588.004t1588.006t1589t1589.002t1590t1590.001t1590.002t1590.004t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003t1598taiwantannertanner activitytanner attacktanner attackstanner detectedtanner eventstanner exploit kittanner exploitationtanner honeypot activitytanner http honeypottanner incidenttanner interactionstargeting databasetcptcp port scanningtcp protocoltcp scantcp scanningtcp-scantcp/23tcp/3306tcp/80tcp_scantelecom servicestelecommunicationtelecommunicationstelnettelnet attackstelnet scantelnet scanningtelnet threattelnet-brute-forcetelnet_protocoltencentthreat activitythreat actorthreat actor activitythreat actor infrastructurethreat actor regionthreat actor unknownthreat actor: unknownthreat actorsthreat analysisthreat detectionthreat feedthreat hosting ispsthreat indicatorthreat indicatorsthreat intel feedthreat intelligencethreat intelligence feedthreat level: highthreat monitoringthreat preventionthreat scorethreat-intelthreat-intelligencethreat_discoverythreat_intelthreat_intelligencetier-1 network vulnerabilitytimeouttlstor nodetorontotpottpotcetraffic analysistraffic analysis requiredtraffic anomaliestraffic anomalytraffic anomaly detectiontraffic from canadatraffic from denmarktraffic from germanytraffic from romaniatraffic from singaporetraffic monitoringtraffic monitoring recommendedtraffic redirectionttpsturkeyubuntuudp port scanudp port scanningudp scanudp-scanudp_scanukraineunattributed activityunauthenticated access attemptsunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized activityunauthorized loginunauthorized login attemptunauthorized network accessunauthorized network activityunauthorized probingunauthorized-access-attemptunidentified adversaryunited arab emiratesunited kingdomunited statesunited states infrastructureunited states ipunited states ipsunited states of americaunited states originunknown actorunknown adversaryunknown malwareunknown originunknown ratunknown stealerunknown threat actorunsolicited network probeunusual network trafficurlsusus & deus abuseus activityus based ipsus ip addressus ip addressesus noneus originus origin ipsus originating activityus originating attacksus originating ipus originating ipsus sourceus source ipus trafficus-based activityus-based ipsus-based threat actorus-based threatsusa ip addressusa originusa originating trafficusa trafficusa_originuser engagementuzbekistanvalid accountsvalleyratvenezuela, bolivarian republic ofverified-benignvidarviet namvietnamvigilance recommendedvnc protocolvoipvoip attackvoip attacksvoip systemsvulnerabilityvulnerability scanvulnerability-scanningvultrvultr cloud infrastructurevultr infrastructurevultr infrastructure targetedvultr parisvultr-platformvultr_platform_activitywebweb app attackweb application attackweb application attacksweb application scanweb application scanningweb attackweb attack activityweb attacksweb crawling detectionweb exploitationweb exploitsweb login attemptweb protocolsweb scannerweb securityweb serverweb server attackweb server attacksweb server exploitationweb serversweb service scanningweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb-based attackweb-serversweb_attackwebsite compromisewestpac new zealandwgetwindows malwarewindows ntwindows system targetingwixwordpotxmasxmas port scanxmas scanxwormzmap
Activity Timeline
Jun 19Jun 19
Threat Activity Heatmap
· Peak: 2026-06-19LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
58
SIGNAL
Signal Score
58%
Confidence
35
Reports
First seenApr 17, 2023
Last seenJun 19, 2026
GeolocationUS
CountryUnited States
LocationSanta Clara, California
ASNAS396982
OrgPalo Alto Networks, Inc
Coords37.3835, -121.9830
Proxy
VirusTotal
Not checked
WHOIS
- description
- IPv4 hosts detected port scanning DigitalOcean Toronto (CA) honeypot
- raw
- NetRange: 205.210.31.0 - 205.210.31.255 CIDR: 205.210.31.0/24 NetName: PAN-22 NetHandle: NET-205-210-31-0-1 Parent: NET205 (NET-205-0-0-0-0) NetType: Direct Allocation OriginAS: Organization: Palo Alto Networks, Inc (PAN-22) RegDate: 2022-01-11 Updated: 2022-01-11 Ref: https://rdap.arin.net/registry/ip/205.210.31.0 OrgName: Palo Alto Networks, Inc OrgId: PAN-22 Address: Palo Alto Networks Address: 3000 Tannery Way Address: Santa Clara, CA 95054 City: Santa Clara StateProv: CA PostalCode: 95054 Country: US RegDate: 2017-11-22 Updated: 2024-11-25 Ref: https://rdap.arin.net/registry/entity/PAN-22 OrgAbuseHandle: IPABU42-ARIN OrgAbuseName: IP Abuse OrgAbusePhone: +1-408-753-4000 OrgAbuseEmail: [email protected] OrgAbuseRef: https://rdap.arin.net/registry/entity/IPABU42-ARIN OrgTechHandle: GNS20-ARIN OrgTechName: Global Network Services OrgTechPhone: +1-408-753-4000 OrgTechEmail: [email protected] OrgTechRef: https://rdap.arin.net/registry/entity/GNS20-ARIN
- references
- https://github.com/telekom-security/tpotce, https://blocklist.greensnow.co/greensnow.txt, https://www.binarydefense.com/banlist.txt, https://lists.blocklist.de/lists/all.txt, https://rules.emergingthreats.net/blockrules/compromised-ips.txt
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 3 years ago · Last seen 4 days ago
Appeared in 35 threat reports