IPMediumSignal 77/100

`216.218.206.67`

Location

United States

Cazadero, California

ASN

AS6939

The Shadow Server Foundation

First Seen

Aug 26, 2020

Last Seen

Jun 10, 2026

Aug 26

First Seen

2114d ago

Jun 10

Last Seen

yesterday

Reports

source reports

77%

Confidence

medium

Found in 31 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.

IPv4 Address

Network layer indicator observed in threat reports.

MISP Category

Network Activity

Confidence

77%

Signal Score

77 / 100

IDS Rule

Threat Context

MITRE ATT&CK TTPs

125 techniques

Network Information

Country

United States

RegionCazadero, California

ASNAS6939

OrganizationThe Shadow Server Foundation

IP Category

⟲

Proxy

Proxy server

⊕

VPN

VPN exit node

Feed Intelligence Summary

31 reports77% confidence

Source reports

77%

Confidence score

Category tags

abuseaccessaccess attemptaccess attemptsaccess controlaccount compromiseactive scanactive scanningadbadb attacksadb brute forceadb exploitadb exploit attemptsadb exploitationadb_protocoladbhoney activityadbhoney attacksadbhoney honeypotadbhoney interactionsadbhoney related activityadvertising campaignadvertising spamand exploitation attemptsandroidandroid debug bridgeandroid device attacksandroid devicesandroid_attackapi servicesapkapplication layer protocolapplication reconnaissanceasaasiaattackattack origin analysisattack sourceattacker ipattacker ipsattempted initial accessaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptauthentication attemptsauthentication brute forceauthentication bypassauthentication failureauthentication failuresauthentication-attemptsauthentication_failuresautomated attackautomated attack activityautomated attack attemptsautomated attacksautomated threatautomated threatsautomated-attackautomated_attackbackdoor installationbad reputationbad web botbankingbeningbening scannerblacklist activityblacklist checkblog spambotnetbotnet activitybotnet-activitybotnet_activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute force authenticationbrute force ftpbrute force sshbrute-forcebrute-force attackbrute_forcebrute_force_attackbruteforcebulk messagingc2c2 communicationc2 servercanadacentoscisco asacisco attackcisco brute forcecisco devicecisco device attackcisco device attackscisco device targetingcisco exploit attemptcisco exploitationcisco exploitation attemptcisco exploitation attemptscisco logscisco network devicescisco targetedcisco-device-targetingcisco_device_attackcitrix attack attemptcitrix brute forcecitrix exploitation attemptcitrix exploitation attemptscitrix securitycloud environmentcloud environment attackcloud infrastructurecloud infrastructure attackcloud servicescms detectioncode executioncommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommand_and_controlcommercial sexcommercial spamcommon vulnerabilitiescommunication protocolcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised host detectioncompromised hostscompromised systemconnectconnected devicesconpot activityconpot attackconpot attacksconpot emulationconpot exploitationconpot honeypotconpot ics attackconpot ics attacksconpot ics exploitationconpot interactionconpot interactionscontainer securitycontent deliverycowriecowrie activitycowrie attackcowrie attackscowrie capturecowrie datacowrie detectedcowrie detectioncowrie emulationcowrie honeypotcowrie honeypot datacowrie interactioncowrie interactionscowrie logscowrie ssh activitycowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh interactioncowrie ssh logscredential accesscredential access attemptscredential attackcredential attackscredential brute forcecredential brute forcingcredential brute-forcingcredential compromisecredential guessingcredential harvestingcredential stuffingcredential theftcredential-accesscredential-bruteforcingcredential-stuffingcredential_accesscredential_guessingcredential_stuffingcredit card servicescross-site scriptingctacurlcve exploitationdata encryptiondata exfiltrationdata harvestingdata scrapingdata store exposuredata theftdata/local/tmpdatabase access attemptdatabase attackdatabase attacksdatabase brute forcedatabase enumerationdatabase exploitdatabase exploitation attemptsdatabase intrusion attemptdatabase login attemptdatabase probedatabase probingdatabase scandatabase scanningdatabase securitydatabase serversdatabase-serverdatabase_attackdatabase_serverdcerpcddosddos attackddos attack indicatorsddos attemptddos preparationddos preventionddos probeddos probingddospotdecoy systemdefense evasiondelhidenial of servicedenial-of-servicedevice managementdevice takeoverdhcpdictionary attackdictionary_attackdigital oceandigitalocean platformdionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea detecteddionaea detectiondionaea emulationdionaea exploit attemptsdionaea exploitsdionaea honeypotdionaea interactionsdionaea logsdionaea malware analysisdionaea malware collectiondionaea malware detectiondionaea malware samplesdionaea payloadsdionaea signaturesdirectory bruteforcingdirectory enumerationdirectory traversaldirectory traversal attemptdiscovery phasedistributed attackdistributed attacksdnsdns attackdockerdrive-by compromisedropperdropper activityelasticpot activityelasticpot attackselasticpot detectedelasticpot exploitationelasticpot honeypotelasticsearchelasticsearch monitoringemailencryptionenergyenterprise networkingenterprise securityenumerationeu cyber policieseuropeexecutable fileexfiltrationexim exploit attemptexploitexploit activityexploit attemptexploit attemptsexploit kitexploit kit activityexploit probingexploit public-facing applicationexploit scanexploit targetingexploit_attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploitation_attemptexploited hostexposed services exploitationexternal access attemptsexternal threatexternal_threatextortionfail2ban triggeredfailedfailed loginfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefinancefinance and insurancefinancial servicesfinancial technologyfingerprintingfirewall eventfrancefraudfraud voipftpftp attackftp attacksftp brute forceftp brute-forceftp protocolftp scanftp scanningftp_protocolgalahgithubgluttongopotgroupsgurgaonhackinghellpotheralding activityheralding attackheralding behaviorheralding probesheralding probingheralding scan activityhoneytrap activityhoneytrap datahoneytrap detectionhoneytrap emulationhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshttp access attempthttp attackhttp brute forcehttp exploitationhttp probinghttp scannerhttp scanninghttp/shttp_protocolhttpshttps scanninghydraicmpicsics attackics attacksics securityics/scadaics/scada attackics/scada attacksidentity & access exploitationillegal service advertisingillegal servicesimapimap attackimap brute forceimap protocolindiaindia phone numbersindia spamindicatorindicators of compromiseindustrial control systemsindustrial iotinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinitial accessinitial access attemptsinitial_accessinjection activityinjection attacksinput validationinput validation bypassinternet background noiseinternet facinginternet of thingsinternet-facinginternet-facing serviceinternet-facing servicesinternet-wide scanintrusion detectioniociocsiot analyticsiot applicationsiot attackiot device attacksiot device targetingiot devicesiot exploit attemptsiot exploitationiot platformsiot securityiot targetediot/ics attackiot_attackip-address-iocip-addressesipp honeyipp_protocolipphoney activityipphoney dataipphoney honeypotipv4ipv4 addressipv4 attacksipv4 indicatoripv4_addressit infrastructurejapankfsensor honeypotkibanalajpat nagarlamplamp attacklamp attack attemptlamp attackslamp exploitlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server probelamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability exploitationlamp vulnerability scanlamp_stack_attacklateral movementlateral movement techniquesldaplfilinuxlinux exploitlinux malwarelinux serverslinux systemlinux system exploitationlinux system targetinglinux systemslinux-server-attacklinux-server-attackslinux-server-targetinglinux-systemlinux_server_attacksload balancerlog4potloginlogin attacklogin attemptlogin attemptslogin failuremail protocol abusemail protocol attacksmail service attackmailoney activitymailoney attackmailoney detectionmailoney email spoofingmailoney eventsmailoney honeypotmailoney interactionsmailoney logsmailoney relatedmalaysiamalicious activitymalicious activity detectedmalicious adb activitymalicious campaignmalicious code detectionmalicious code injectionmalicious emailmalicious email activitymalicious email detectionmalicious file transfermalicious ip activitymalicious ip addressesmalicious ip detectedmalicious ip listmalicious login attemptsmalicious network activitymalicious payloadmalicious payload attemptmalicious payload attemptsmalicious payload deliverymalicious payload detectionmalicious sftp activitymalicious sip activitymalicious softwaremalicious software detectionmalicious sshmalicious ssh activitymalicious trafficmalicious-activitymalicious-login-attemptsmalicious-scanmalicious_activitymalicious_trafficmalwaremalware activitymalware analysismalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware delivery attemptsmalware deploymentmalware deployment attemptsmalware detectionmalware distributionmalware distribution attemptmalware downloadmalware download attemptmalware download attemptsmalware hostingmalware infectionmalware propagationmalware propagation attemptsmalware stagingmalware_activitymalware_distribution_attemptmanualmasscanmedpotmedusaminermobilemobile securitymobile threatmodbusmodbus attacksmonthlymssqlmssql brute forcemultiple failed loginsmysql brute forcenetworknetwork activitynetwork attacksnetwork devicenetwork device attacknetwork device attacksnetwork device compromisenetwork devicesnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork intrusionsnetwork monitoringnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-devicenetwork-reconnaissancenetwork_devicenetwork_device_attacknetwork_intrusionnetwork_reconnaissancenetwork_scannetwork_scanningnginxnmapnoidanorth americantpntp protocolnull scanoceaniaopen proxyopencanaryopenctiopensshopportunistic-attackoracleoracle databaseos credential dumpingowaspp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword crackingpassword sprayingpassword-guessingpassword_guessingpath traversalpayment processingperimeter securityphishingphishing attackphishing trapphone number spamphone spamphp injection attemptspop3 attackport-scanningportscanpossible botnet activitypossible credential reusepossible exploit attemptpossible exploit probingpossible malicious activitypossible malware activitypossible malware deploymentpossible malware distributionpossible malware hostingpossible malware probingpossible malware propagationpossible mirai variantpossible reconnaissancepossible vulnerability exploitationpotential botnetpotential botnet activitypotential compromisepotential credential compromisepotential credential theftpotential exploitpotential exploit activitypotential exploit attemptspotential intrusionpotential malicious activitypotential malware activitypotential malware deliverypotential malware deploymentpotential malware distributionpotential malware hostingpotential reconnaissancepotential threat actorpotential vulnerability exploitationpotential vulnerability probingprivilege escalationprivilege escalation attemptprocess injectionprotocol abuseprotocol exploitationprotocol-abuseproxyproxy accesspublicly accessible infrastructurepublicly accessible servicespythonransomwareransomware activityraspberry-pirdp attacksreconnaissancereconnaissance activityreconnaissance-activitiesredis attacksredis brute forceredis exploit attemptredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityredis honeypot attacksredishoneypot activityregional securityremote accessremote access attackremote access attacksremote access attemptremote access attemptsremote access toolsremote file inclusionremote service exploitationremote servicesremote services exploitationremote_accessremote_access_serviceremote_serviceresearchresearchedresource developmentresource hijackingrfis7comm attackssansscamscams & fraudscanscannerscanner activityscannersscanning activityscriptscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attacksentrypeer attackssentrypeer botnetsentrypeer connectionssentrypeer detectionsentrypeer eventssentrypeer exploitsentrypeer interactionssentrypeer logssentrypeer p2p attackserverserver exploitationserver securityservice enumerationservice exploitationservice scanservice scanningservice-discoverysex services advertisementsex worksftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp credential attacksftp exploit attemptsftp exploitationsftp exploitation attemptsftp exploitation attemptssftp intrusion attemptsftp probingsftp protocolsftp protocol abusesftp scanningsftp-attacksftp-brute-forcesftp_protocolshadowsever_org-benignshell accessshell access attemptshell access attemptsshellshock attemptsipsip attackssip brute forcesip enumerationsip probingsip protocolsip scansip scanningsip vulnerability scansip vulnerability scanningsip-scanningsip_protocolsippslugsmart devicessmb attackssmb brute forcesmb exploitationsmb_protocolsmssms spamsms spam campaignsmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scansmtp scanningsmtp traffic analysissmtp_protocolsnaresocial engineeringsocks5socks5 proxysoftware developmentsoftware exploitationspainspamspam advertisementspam advertisement campaignspam campaignsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh brute-forcessh monitoringssh protocolssh scanssh-brutessh-brute-forcessh_protocolsslssl vpnssrfsurface websuricata alertsuricata alertssynsyn scansystem discoverysystem disruptionsystem reconnaissancet-pott1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1027t1033t1040t1041t1046t1047t1053t1053.005t1055t1056t1057t1059t1059.001t1059.003t1059.004t1059.005t1059.006t1059.007t1064t1068t1069t1071t1071.001t1071.004t1072t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1082t1083t1087t1105t1110t1110.001t1110.002t1110.003t1110.004t1132t1133t1187t1189t1190t1192t1195t1195.002t1199t1202t1203t1204t1204.002t1210t1486t1490t1495.001t1496t1497t1497.001t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1539t1550t1550.002t1550.003t1552.001t1555t1555.003t1556t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1567.001t1572t1573t1573.001t1583t1583.001t1583.006t1584t1587.001t1588t1588.002t1588.006t1589t1589.002t1590t1590.001t1590.004t1590.005t1590.006t1591t1592t1592.002t1595t1595.001t1595.002t1595.003t1598t1598.003t1608tannertanner activitytanner attacktanner attackstanner detectedtanner eventstanner exploit detectiontanner exploit kittanner honeypot activitytanner interactionstanner logstanner web attacktargeting databasetcptcp port scanningtcp protocoltcp scantcp-scantcp/5555telecommunicationstelephone harassmenttelnettelnet attackstelnet attemptstelnet threattelnet-brute-forcetelnet_protocolthreat actorthreat detectionthreat intelthreat intelligencethreat intelligence feedthreat preventionthreat_intelligencetor nodetpottpotcetraffic analysistrinitytsecttpsubuntuudp port scanudp port scanningudp scanudp-scanunauthenticated access attemptsunauthorised access attemptsunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized login attemptsunauthorized probingunauthorized-access-attemptunidentified attackerunited kingdomunited statesunited states of americaunknown threat actorunsolicited communicationunsolicited contactunsolicited contentuploadususer enumerationvalid accountsverified-benignvnc protocolvoipvoip attackvoip attacksvoip systemvoip systemsvoip_attackvpnvpn ipvulnerabilityvulnerability scanvultrvultr infrastructurevultr tokyovultr_platform_activitywafwaf bypass attemptsweak credentialswealth managementweb apisweb app attackweb applicationweb application attackweb application attacksweb application exploitationweb application fingerprintingweb application scanweb application scanningweb applicationsweb attackweb attacksweb crawlerweb developmentweb enumerationweb exploitweb exploitationweb exploitsweb hostingweb infrastructureweb loginweb login attemptweb scannerweb serverweb server attacksweb serversweb servicesweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb technologiesweb trafficweb-application-attackweb-application-attacksweb-serverweb_applicationweb_application_attackweb_attackweb_serverwgetwindows malwarewindows systemwindows system targetingwordpotxmas scanxsszabbix

Activity Timeline

1 total obs

Jun 10Jun 10

Threat Activity Heatmap

Less

Mon

Wed

Fri

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

24h

Dormant

Minimal

30d

Minimal

3mo

Minimal

Threat ScoreHigh Risk

SIGNAL

Signal Score

77%

Confidence

Reports

First seenAug 26, 2020

Last seenJun 10, 2026

GeolocationUS

CountryUnited States

LocationCazadero, California

ASNAS6939

OrgThe Shadow Server Foundation

Coords37.6951, -121.9000

ProxyVPN

VirusTotal

Not checked

WHOIS

description: IPv4 hosts detected port scanning Vultr Paris (France) honeypot
raw: Hurricane Electric LLC HURRICANE-1 (NET-216-218-128-0-1) 216.218.128.0 - 216.218.255.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-8B8B5023 (NET-216-218-206-64-1) 216.218.206.64 - 216.218.206.127
references: https://github.com/telekom-security/tpotce

`216.218.206.67`

MITRE ATT&CK TTPs

Network Information

IP Category

Feed Intelligence Summary

Activity Timeline

Threat Activity Heatmap

VirusTotal

WHOIS

Export & API

IOC Journey

We value your privacy