IOC Radar
IPMediumSignal 75/100

65.49.1.12

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Jan 20, 2021
Last Seen
Jun 13, 2026
Jan 20
First Seen
1982d ago
Jun 13
Last Seen
12d ago
38
Reports
source reports
75%
Confidence
medium
Found in 38 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
75%
Signal Score
75 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

92 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server
VPN
VPN exit node

Feed Intelligence Summary

38 reports75% confidence
38
Source reports
75%
Confidence score
Category tags
abuseaccessaccess attemptsaccess controlaccount brute forceaccount compromiseaccount securityack scanactive scanactive scanningactor listadbadb_protocoladbhoney activityadbhoney honeypotadministrative accessand exploitation attemptsapacheapache attackerapplication layer protocolapplication reconnaissanceaptasiaattackattack attemptattack source ipattack vectorsattacker-ipaustraliaauthentication abuseauthentication attacksauthentication attemptsautomated attackautomated attacksautomated threatautomated-attackautomated_attackbad reputationbad web botbankingbeningbening scannerblacklist candidateblacklist ipblock listblog spambotnetbotnet activitybrazilbrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcebrute_force_attackbrute_force_attemptbruteforcec2canadacertchinachina mobilecisco devicecisco device attackcisco device targetingcisco exploitation attemptcisco exploitation attemptscisco logscloud environmentcloud infrastructurecloud infrastructure attackcloud infrastructure targetcloud servicescloud-infrastructurecms detectioncode executioncode injectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommon credential attemptscommunication protocolcompany limitedcompromised credentialscompromised hostcompromised systemsconnect scanconpotconpot activityconpot honeypotconpot ics attackconpot ics attacksconpot ics exploitationcowriecowrie activitycowrie attackscowrie honeypotcowrie interactionscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcredential accesscredential attackcredential attackscredential brute forcecredential brute-forcingcredential guessingcredential harvestingcredential stuffingcredential-bruteforcingcredential-stuffingcredential_guessingcredit card servicescvedata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase probingdatabase securityddosddos attackddos attack indicatorsddos attacksddos attemptddos reflectiondecoy systemdenial of servicedenial-of-servicedevice managementdictionary attackdigital oceandigitalocean environmentdigitalocean infrastructuredionaeadionaea activitydionaea attackdionaea attacksdionaea honeypotdionaea interactionsdionaea logsdionaea malware analysisdionaea malware collectiondionaea malware detectiondionaea malware samplesdionaea payloadsdirectory bruteforcingdirectory traversaldirectory traversal attemptdistributed attacksdnsdns attackdropperdropper activityelasticpot attackselasticpot honeypotelasticsearch monitoringemailencryptionenterprise networkingenumerationenumeration activitieseuropeexploitexploit attemptexploit attemptsexploit kit activityexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploitation_attemptexploited hostexposed servicesexternal access attemptsexternal reconnaissanceexternal threatexternal-threatexternal_threatfail2ban blockingfailed login attemptsfailed loginsfattfatt detectionsfatt signaturesfilefin scanfinancefinancial servicesfinancial technologyfinlandfranceftpftp attacksftp brute forceftp brute-forceftp_protocolgermanygithubgroupshackingheralding activityheralding probeshk abusehandlerhoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttp/shttp_protocolhttpsicmpics securityics/scada attackidentity & access exploitationimapimap brute forceinbound scanindicators of compromiseindustrial control systemsinformation gatheringinfrastructure acquisitionreconnaissanceinfrastructure reconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial access attemptinitial access preparationinitial access vectorinitial_accessinjection activityinjection attacksinternet facing assetsinternet of thingsinternet-facinginternet-facing serviceinternet-wide monitoringinternet-wide scaninternet_wide_scanintrusion detectioniociot botnetiot securityiot targetediot/ics attackip-addressesipp_protocolipphoney honeypotipv4ipv4 addressipv4 iocipv4 port scanningipv4 threatsipv4-addressesipv4_addressipv4_indicatorsjapankfsensor honeypotlamplamp attacklamp exploitation attemptslamp server attacklamp stack attacklamp stack targetinglateral movementlateral movement techniqueslcialfilinux serverslinux systemslinux-server-attacklogin abuselogin attacklogin attemptlogin attemptslondonmail protocol abusemailoney activitymailoney email spoofingmailoney eventsmailoney honeypotmailoney interactionsmailoney logsmalaysiamalicious activitymalicious activity detectedmalicious emailmalicious file transfermalicious ip activitymalicious ip detectedmalicious ip listmalicious ipsmalicious ipv4malicious payload detectionmalicious scanmalicious sip activitymalicious softwaremalicious trafficmalicious-login-attemptsmalicious_trafficmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware distributionmalware downloadmalware propagationmalware_distribution_attemptmanualmirai botnetmisp threatmobilemobile securitymssqlnetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork intrusion detectionnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service discoverynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-reconnaissancenetwork_discoverynetwork_intrusionnetwork_reconnaissancenetwork_scannetwork_scanningnorth americanull scanoceaniaopen proxyopen threatopenctioperating systemoperating system securityopportunistic-attackotx pulsenametiowaspp0fp0f network fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspayment processingpgp signphishingphishing attackphishing trapphp exploitping of deathpinyinpla unitpolandport-scanningportscanpossible botnet activitypossible exploit attemptpossible malware distributionpossible malware propagationpossible mirai variantpotential exploit activitypotential exploit attemptspotential intrusionpotential malicious activitypotential malware deploymentpotential vulnerability assessmentpotential vulnerability exploitationpotential vulnerability scanprivilege escalationprocess injectionprotocol exploitationprotocol-abuseproxyproxy protocolpythonransomwareransomware activityrdp attacksrdp scanningreconnaissancereconnaissance activityredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityremote accessremote access attackremote servicesresearchedresource hijackingrfisansscanscannerscanner activityscanner ipsscannersscanning activityscanning_activityscriptscripting attackssecurity alertsecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer logssentrypeer p2p attackserver exploitationservice discoveryservice enumerationservice probingservice scanservice scanningsftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp intrusion attemptsftp scanningsftp-attacksftp_protocolshadowsever_org-benignsingaporesip attackssip brute forcesip scanningsip_protocolslugsmb_protocolsmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scanningsmtp_protocolsocial engineeringsocradarsoftware exploitationspamsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh monitoringssh-brute-forcessh_protocolssrfsurface websuricata alertssyn scansyn_scansystem administrationt-pott1005t1016t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1027t1040t1041t1046t1047t1053t1055t1059t1059.001t1059.003t1059.004t1059.007t1064t1068t1069.001t1071t1071.001t1072t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204t1204.002t1210t1486t1495.001t1496t1497t1499.001t1499.002t1499.003t1505t1505.002t1550.003t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1583t1587.001t1588t1589t1589.002t1590t1590.001t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner exploit kittanner honeypot activitytanner interactionstanner logstanner web attacktargeting databasetcp protocoltcp scantcp scanningtcp/iptelecommunicationstelnet attackstelnet threattelnet-brute-forcetelnet_protocolthreat actorthreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat_intelligenceti advisorytimeouttor nodetorontotpottsocudp port scanudp scanunattributed activityunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptsunauthorized-access-attemptunidentified attackerunit coverunited kingdomunited statesunknown threat actorusus abuseus ip addressus nonevalid accountsverified-benignvnc protocolvoidtrapvoipvoip attackvpnvpn ipvulnerability scanvultrwealth managementweb app attackweb application attackweb application attacksweb application fingerprintingweb application scanningweb attackweb attacksweb crawlerweb exploit attemptweb exploitationweb scannerweb shell attemptweb shell detectionweb spamweb trafficweb-application-attackweb_application_attackxmas scanxmas_scanxss

Activity Timeline

1 total obs
Jun 13Jun 13

Threat Activity Heatmap

· Peak: 2026-06-13
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
75
SIGNAL
Signal Score
75%
Confidence
38
Reports
First seenJan 20, 2021
Last seenJun 13, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.7510, -97.8220
ProxyVPN

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255
references
https://github.com/telekom-security/tpotce, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-08/, https://jamesbrine.com.au, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-07/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-06/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-06/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-06/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-03-06/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-04/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-04-04/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-05/, https://voidvendor.com/intel, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-03-04/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-03-04/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-04/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-04/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-03-02/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-01/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-04-01/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-01/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-01/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-01/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-30/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-30/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-03-30/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-02-28/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-02-27/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-02-27/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-02-27/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-03-29/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-28/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-28/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-27/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-27/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-27/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-02-25/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 12 days ago
Appeared in 38 threat reports