IPMediumSignal 80/100
65.49.1.108
Location
United StatesPleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Jul 7, 2023
Last Seen
Jun 10, 2026
Jul 7
First Seen
1069d ago
Jun 10
Last Seen
yesterday
43
Reports
source reports
80%
Confidence
medium
12/91
VirusTotal
detections
Found in 43 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
80%
Signal Score
80 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation
IP Category
⟲
Proxy
Proxy server
⊕
VPN
VPN exit node
Feed Intelligence Summary
43 reports80% confidence
43
Source reports
80%
Confidence score
Category tags
abuseaccessaccess controlaccount compromiseactionactive scanactive scanningadbadb attacksadb brute forceadb exploitadb protocoladb scanningadbhoney activityadbhoney alertsadbhoney attacksadbhoney honeypotadbhoney interactionsadvertising campaignadvertising spamagentalertandroidandroid debug bridgeandroid devicesandroid_attackanomalous network connectionsapacheapache attackerapkapplication layer protocolaptasiaasset discoveryatif feedattachment phishingattackattack attemptattack sourceattack vectorsattacker ipattacker ip addressesattacker ipsattacker origin: usattacker-ipaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptauthentication attemptsauthentication failureauthentication-attemptsauthentication_bypassauthentication_failuresauto-generated securityautomated attackautomated attack attemptsautomated attacksautomated emailautomated threatautomated threatsautomated-attackbackdoor installationbad ip'sbad reputationbad web botbankingbanlist feedbase64base64 encodingbecbeningbening scannerbinary defenseblacklisted ip addressblock listblock.txtblocklist_allblog spambotnetbotnet activitybotnet-activitybotnet_activitybrutebrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebrute_force_attackbrute_force_attemptbruteforcebulk emailbulk messagingc2c2 communicationcanadacertchina mobilecins activecisco asacisco attackcisco devicecisco device attackcisco device scanningcisco device targetedcisco device targetingcisco exploit attemptcisco exploit attemptscisco exploitationcisco exploitation attemptcisco exploitation attemptscisco targetingcisco_exploitcitrix attack attemptcitrix exploitation attemptcitrix exploitation attemptscitrix securitycloud environmentcloud infrastructurecloud infrastructure attackcloud infrastructure targetcloud servicescloud-infrastructurecode executioncode injectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommand_and_controlcommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised host activitycompromised host indicatorscompromised systemcompromised system detectioncompromised systemsconfigconnectconnected devicesconpot activityconpot attacksconpot honeypotconpot ics attackconpot ics attacksconpot ics exploitationconpot interactionscontainer securitycowriecowrie activitycowrie attackcowrie attackscowrie capturecowrie datacowrie detectedcowrie detectioncowrie honeypotcowrie honeypot datacowrie honeypot detectioncowrie interactioncowrie interactionscowrie loginscowrie logscowrie ssh activitycowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh interactioncowrie_attackcredential accesscredential access attemptscredential attackcredential attackscredential brute forcecredential brute-forcingcredential compromisecredential guessingcredential harvestingcredential phishingcredential stuffingcredential theftcredential-accesscredential-harvestingcredential-stuffingcredential_accesscredential_stuffingcredentialaccesscredit card servicescssctacurlcvedaily_sourcesdata encryptiondata exfiltrationdata exfiltration attemptdata harvestingdata scrapingdata store exposuredata/local/tmpdatabase activitydatabase attackdatabase attacksdatabase brute forcedatabase enumerationdatabase exploitationdatabase exploitation attemptsdatabase intrusion attemptsdatabase login attemptdatabase probingdatabase scandatabase scanningdatabase securitydatabase-serverdatabase_attackdcerpcddosddos attackddos attack indicatorsddos attacksddos attemptddos preparationddos probeddos reflectionddospotdecoy systemdelhidenial of servicedenial-of-servicedenial-of-service attemptdevice managementdevice takeoverdictionary attackdigital oceandigitalocean environmentdigitalocean ipsdionaeadionaea activitydionaea alertdionaea attackdionaea attack signaturesdionaea attacksdionaea capturedionaea detecteddionaea detectiondionaea eventsdionaea exploit attemptsdionaea honeypotdionaea interactionsdionaea logsdionaea malware analysisdionaea malware collectiondionaea malware detectiondionaea malware samplesdionaea payloadsdirectory traversal attemptdistributed attacksdnsdns attackdockerdropperdropper activitydshield blockelasticpot activityelasticpot attackselasticpot dataelasticpot detectedelasticpot honeypotelasticsearchelasticsearch monitoringemailencryptionenterprise networkingenterprise securityenumerationenv-huntinget dropeu cyber policieseuropeexecutable fileexfiltrationexploitexploit activityexploit attemptexploit attemptsexploit kit activityexploit probingexploit public-facing applicationexploit scanexploit targetingexploit: web applicationexploit_attemptexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploitation_attemptexploited hostexport-to-otxexternal access attemptsexternal attackexternal scanningexternal threatexternal-threatexternal_threatextortionfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin scanfinancefinance and insurancefinancial servicesfinancial technologyfinlandfrancefraudfraud voipftpftp activityftp attackftp attacksftp attemptftp brute forceftp brute-forceftp scanftp scanningftp_bruteforceftp_scangalahgermanygithubgluttongopotgroupshackinghellpotheralding activityheralding attackheralding attacksheralding behaviorheralding probeshigh-riskhk abusehandlerhoneynet connecthoneypot 24h activityhoneytrap activityhoneytrap datahoneytrap detectionhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp exploitationhttp probinghttp request anomalieshttp scannerhttp scanninghttp/httpshttp/shttp_scanhttpshttps scanninghurricane ushydraicmpics securityics/scadaics/scada attackidentity & access exploitationillegal service advertisingimapimap attackinbound scanindiaindia phone numbersindia spamindicators of compromiseindustrial control systemsindustrial iotinfoinformation gatheringinfrastructure acquisitionreconnaissanceinfrastructure reconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial access preparationinitial access vectorinitial_accessinitial_access_attemptinjection activityinjection attacksinternet exposedinternet facinginternet facing assetsinternet facing systemsinternet of thingsinternet wide scaninternet-facinginternet-facing assetsinternet-facing serviceinternet-facing systemsinternet-wide observationinternet-wide scaninternet_wide_scanintrusion detectioniocioc.ipiocsiot analyticsiot applicationsiot attackiot botnetiot device attacksiot device targetingiot exploit attemptsiot exploitationiot platformsiot securityiot targetediot/ics attackiot_attackip-address-iocipmi scanningipphoney activityipphoney dataipphoney honeypotipv4ipv4 activityipv4 addressesipv4 attacksipv4 indicatorsipv4 port scanningipv4 scanningipv4-addressesipv4_addressipv4_scanningjapankfsensor honeypotkibanakill-chain exploitationkill-chain reconnaissanceknown malicious iplajpat nagarlamplamp attacklamp attack attemptlamp attackslamp exploitlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability scanlamp_exploitlateral movementlateral movement techniqueslateral_movementlcialinuxlinux malwarelinux malware probelinux serverslinux systemlinux system exploitationlinux systemslinux-server-attacklinux-server-attackslinux-systemlinux_server_attackslisted sourcelog4potloginlogin attacklogin attemptlogin attemptslogin brute forcelogin failureloginattacklondonlow-riskmail protocol abusemailoney activitymailoney attackmailoney attacksmailoney capturemailoney detectionmailoney email spoofingmailoney eventsmailoney honeypotmailoney indicatorsmailoney interactionsmalaysiamalicious activitymalicious activity detectedmalicious adb activitymalicious campaignmalicious code detectionmalicious emailmalicious email detectionmalicious file transfermalicious infrastructuremalicious ip activitymalicious ip listmalicious ipsmalicious loginmalicious login attemptsmalicious network activitymalicious payloadmalicious payload attemptsmalicious payload detectionmalicious scanmalicious script executionmalicious sftp activitymalicious sip activitymalicious softwaremalicious software detectionmalicious sshmalicious ssh activitymalicious trafficmalicious-activitymalicious-login-attemptsmalicious-scanmalicious_activitymalicious_trafficmalwaremalware activitymalware analysismalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware deployment attemptsmalware detectionmalware distributionmalware downloadmalware download attemptsmalware droppermalware hostingmalware propagationmalware_activitymalware_detectionmanualmasscanmedpotminermirai botnetmispmobilemobile securitymobile threatmonthlymssqlmssql brute forcemultiple failed loginsmysql brute forcenetworknetwork activitynetwork attacksnetwork device compromisenetwork device probingnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork layer protocolnetwork monitoringnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-devicenetwork-reconnaissancenetwork_device_attacknetwork_discoverynetwork_intrusionnetwork_reconnaissancenetwork_scannetwork_scanningnetwork_service_exploitationnginxnmapnorth americanull scanoceaniaopen port identificationopen proxyopencanaryopenctiopportunistic attackopportunistic attackeros command injectionosintotxp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespasswordpassword attackpassword attackspassword crackingpassword sprayingpassword theftpassword-guessingpassword_guessingpayment fraudpayment processingperimeter securitypgp signphishingphishing attackphishing campaignphishing trapphone number spamphone spamphp injection attemptspingping of deathpolandpoor reputationpop3 attackportport-scanningportscanpossible botnet activitypossible credential reusepossible credential theftpossible exploit attemptpossible exploit probingpossible malicious activitypossible malware activitypossible malware distributionpossible malware dropperpossible malware hostingpossible mirai variantpossible vulnerability exploitationpotential botnetpotential botnet activitypotential brute forcepotential compromisepotential credential compromisepotential credential theftpotential data exfiltrationpotential exploitpotential exploit activitypotential exploit attemptspotential intrusionpotential malicious activitypotential malware activitypotential malware deliverypotential malware deploymentpotential malware distributionpotential malware hostingpotential malware infectionpotential malware uploadpotential reconnaissancepotential vulnerability exploitationprice requestprice request scamprivilege escalationprocess injectionprotoprotocol abuseprotocol exploitationprotocol scanprotocol-abuseproxyproxy accesspublic cloud targetingpublicly accessible infrastructurepublicly accessible servicespythonransomwareransomware activityraspberry-pircerdp attacksrdp_scanreconnaissancereconnaissance activityredisredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot attacksredishoneypotregional securityremote accessremote access abuseremote access attacksremote access attemptremote access attemptsremote access toolsremote loginremote serviceremote service exploitationremote servicesremote services exploitationremote_accessremote_serviceresearchedresource developmentresource hijackingsansscada exploitation attemptsscamscams & fraudscanscannerscanner activityscanner ipsscannersscanning activityscanning_activityschedule themescheduled task abusescriptscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attacksentrypeer attackssentrypeer botnetsentrypeer connectionssentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer p2p attackserverserver exploitationserver securityservice detectionservice discoveryservice enumerationservice exploitation attemptsservice scanservice scanningservice-discoverysex services advertisementsex worksftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp exploitation attemptsftp exploitation attemptssftp intrusion attemptssftp protocolsftp scanningsftp-attacksftp_attackshadowsever_org-benignshellshell accessshell access attemptsingaporesipsip attackssip brute forcesip probingsip protocolsip scansip scanningsip vulnerability scansip_attacksippslugsmart devicessmb attackssmb brute forcesmb exploitationsmssms spamsms spam campaignsmtpsmtp attacksmtp attackersmtp attackssmtp brute forcesmtp probingsmtp scansmtp scanningsmtp traffic analysissmtp_attacksnaresocial engineeringsocradarsoftware exploitationspamspam advertisementspam campaignsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh brute-forcessh bruteforcessh monitoringssh protocolssh scanningssh-brute-forcessh_bruteforcessh_scansurface websuricata alertsuricata alertssyn scansystem disruptiont-pott-pot frameworkt1003t1003.001t1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1047t1048t1053t1053.005t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1064t1065t1068t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1134t1187t1189t1190t1192t1195t1199t1202t1203t1204t1204.002t1210t1486t1490t1496t1497t1497.001t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1547t1550t1550.002t1550.003t1552.001t1555t1555.003t1556t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1567.001t1572t1583t1583.001t1583.006t1584t1587.001t1588t1588.002t1588.004t1588.006t1589t1590t1590.001t1590.003t1590.004t1590.005t1590.006t1591t1592t1592.002t1595t1595.001t1595.002t1595.003t1598t1598.003tannertanner activitytanner attacktanner attack patternstanner attackstanner detectedtanner eventstanner exploit detectiontanner exploit kittanner honeypottanner honeypot activitytanner http honeypottanner interactionstanner web attacktargeting databasetariff server compromisetariff server themetariffs servertcp protocoltcp scantcp scanningtcp-scantcp/5555tcp/iptelecommunicationstelephone harassmenttelnettelnet attackstelnet attemptstelnet threattelnet-brute-forcethreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat_actor_unknownthreat_discoverythreat_intelligencetimeouttokyotop10.txttopips.txttor nodetpottpotcetraffic analysistrinityttpsudp port scanudp scanudp-scanunattributed activityunattributed threat actorunauthenticated access attemptsunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized login attemptsunauthorized-access-attemptunidentified attackerunidentified threat actorunited kingdomunited statesunited states of americaunknown threat actorunsolicited communicationunsolicited contactusus abuseus ip addressus noneus source ipvalid accountsverified-benignvnc protocolvoidtrapvoipvoip attackvoip attacksvoip systemsvoip_attackvpnvpn ipvulnerability scanvultrvultr infrastructurevultr ip addressvultr tokyovultr_platform_activitywazuhwealth managementweb app attackweb applicationweb application attackweb application attacksweb application scanweb application scanningweb attackweb attacksweb exploit attemptweb exploitationweb exploitsweb login attemptweb scannerweb server attackweb server attacksweb server exploitationweb serversweb service attacksweb service scanningweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb trafficweb-application-attackweb-serverweb_attackweb_server_attackwetransfer abusewgetwindows malwarewordpotxmas scan
Activity Timeline
Jun 10Jun 10
Threat Activity Heatmap
LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
80
SIGNAL
Signal Score
80%
Confidence
43
Reports
First seenJul 7, 2023
Last seenJun 10, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.6951, -121.9000
ProxyVPN
WHOIS
- description
- IPv4 hosts detected port scanning Vultr Paris (France) honeypot
- raw
- Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255
- references
- https://github.com/telekom-security/tpotce, https://blocklist.greensnow.co/greensnow.txt, https://www.binarydefense.com/banlist.txt, https://lists.blocklist.de/lists/all.txt, https://rules.emergingthreats.net/blockrules/compromised-ips.txt
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 2 years ago · Last seen 1 day ago
Appeared in 43 threat reports