IOC Radar
IPMediumSignal 72/100

65.49.1.15

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Jun 28, 2023
Last Seen
Jun 10, 2026
Jun 28
First Seen
1077d ago
Jun 10
Last Seen
today
37
Reports
source reports
72%
Confidence
medium
Found in 37 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
72%
Signal Score
72 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

98 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server

Feed Intelligence Summary

37 reports72% confidence
37
Source reports
72%
Confidence score
Category tags
abuseaccessaccess controlaccount brute forceaccount compromiseaccount securityackactive scanactive scanningadbadbhoney activityadbhoney honeypotadminadministrative accessandroidandroid device attacksapacheapache attackerapplication layer protocolapplication reconnaissanceaptasiaatif feedattackattack preparatoryattack sourceattack source ipattacker-ipaustraliaauthentication abuseauthentication attackauthentication attacksauthentication attemptsauthentication_bypassauto-generated securityautomated attackautomated attacksautomated threatautomated-attackbad reputationbad web botbankingbanlist feedbeningbening scannerbinary defenseblacklist candidateblock listblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebruteforcec2canadacertchinachina mobilecisco asacisco asa targetedcisco devicecisco device attackcisco device targetingcisco exploitationcisco exploitation attemptcisco exploitation attemptscisco logscisco network devicescitrix brute forcecitrix exploitation attemptcitrix exploitation attemptscitrix securitycloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud_infrastructurecms detectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommon credential attemptscommon vulnerabilitiescommunication protocolcommunication securitycompany limitedcompromised credentialscompromised hostcompromised systemsconfiguration modificationconpotconpot activityconpot honeypotconpot ics exploitationcowriecowrie activitycowrie attackcowrie attackscowrie honeypotcowrie honeypot detectioncowrie interactioncowrie interactionscowrie logscowrie ssh attackscowrie ssh honeypotcowrie ssh loginscredential accesscredential attackcredential attackscredential brute forcecredential guessingcredential harvestingcredential stuffingcredential-accesscredential-stuffingcredential_accesscredit card servicescron injectionctacvedata encryptiondata exfiltrationdata harvestingdata store exposuredatabase access attemptdatabase attackdatabase attacksdatabase exploitation attemptsdatabase probedatabase probingdatabase securityddosddos attackddos attacksddos attemptddos probedecoy systemdenial of servicedevice managementdictionary attackdigital oceandionaeadionaea activitydionaea attackdionaea attacksdionaea honeypotdionaea interactionsdionaea logsdionaea malware analysisdionaea malware collectiondionaea malware samplesdionaea payloadsdirectory bruteforcingdirectory traversaldistributed attackdistributed attacksdnsdns attackdropperelasticpot attackselasticpot honeypotelasticsearch monitoringemailencryptionenterprise networkingenterprise securityenumerationenumeration activitieseuropeexim exploit attemptexploitexploit attemptexploit attemptsexploit kit activityexploit kitsexploit probingexploit_attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexposed servicesexternal access attemptsexternal scanningexternal threatexternal-scanningexternal-threatexternal_threatfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin scanfinancefinancial servicesfinancial technologyfinlandfirewall detectionfrancefraud voipftpftp attackftp attacksftp brute forceftp brute-forceftp scanninggermanygithubgroupshackingheralding activityheralding attackheralding probeshk abusehandlerhoneynet connecthoneytrap activityhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp access attempthttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttp/shttpsicmpicsics securityics/scada attackics/scada attacksidentity & access exploitationimapimap brute forceinbound scanindicatorindicators of compromiseindustrial control systemsinfrastructure acquisitionreconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial_accessinjection activityinjection attacksinternet facing assetinternet facing systemsinternet of thingsinternet wide scaninternet-facinginternet-facing serviceinternet-facing systemsinternet-wide observationinternet-wide scanintrusion detectioniociocsiot botnetiot device targetingiot securityiot targetediot/ics attackip-addressesipphoney activityipphoney honeypotipv4ipv4 activityipv4 addressipv4 addressesipv4-iocipv4_activityipv4_addressjapankfsensor honeypotlamplamp attacklamp exploitlamp exploitationlamp exploitation attemptslamp server attacklamp stacklamp stack attacklamp stack targetedlamp stack targetinglateral movementlateral movement techniqueslcialfilinux serverslinux systemslinux-server-attacklinux_server_attackslogin attacklogin attemptlogin attemptsmail protocol abusemailoney activitymailoney eventsmailoney honeypotmailoney interactionsmailoney logsmailoney trafficmalicious activitymalicious activity detectedmalicious email activitymalicious file transfermalicious infrastructuremalicious ipmalicious ip activitymalicious ip listmalicious ipsmalicious login attemptsmalicious network activitymalicious payloadmalicious payload detectionmalicious softwaremalicious ssh activitymalicious trafficmalicious-login-attemptsmalicious-scanmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware deploymentmalware distributionmalware hostingmalware landingmalware propagationmalware_activitymanualmiraimirai botnetmobile threatmodbus attacksmodule loadingmssqlmysql brute forcenetworknetwork activitynetwork attacksnetwork device attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork mappingnetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork servicesnetwork-based attack attemptsnetwork-discoverynetwork-reconnaissancenetwork_devicenetwork_discoverynetwork_scannetwork_service_exploitationnorth americanull scanoceaniaopen proxyoperating systemoperating system securityos fingerprintingowaspp0fp0f network fingerprintingp0f signaturespassword attackpassword attackspayment processingpgp signphishingphishing attackphishing trapphp exploitping of deathpolandport-scanningportscanpossible botnet activitypossible credential stuffingpossible exploit attemptpossible malware activitypossible malware distributionpossible malware propagationpossible mirai variantpotential exploitpotential exploit activitypotential exploit attemptspotential intrusionpotential lateral movementpotential vulnerability scanprivilege escalationprocess injectionprotocol exploitationprotocol-abuseproxypublic cloud targetingpythonransomwarercerdprdp attacksreconnaissancereconnaissance activityredis exploitation attemptredis exploitation attemptsredis honeypotremote accessremote access attemptremote serviceremote service exploitationremote servicesremote_accessreplication attackresearchedresource hijackingrfirtbhs7comm attackssansscams & fraudscanscannerscanner activityscannersscanning activityscriptscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer eventssentrypeer interactionssentrypeer logsserver exploitationservice discoveryservice enumerationservice exploitationservice probingservice scanservice scanningservice version detectionservice-discoverysftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptssftp probingsftp traffic analysissftp-attackshadowsever_org-benignshellshock attemptsingaporesipsip attackssip brute forcesip enumerationsip probingsip scanningsip vulnerability scanningslugsmb attackssmtpsmtp attackssmtp brute forcesmtp probesmtp probingsmtp scanningsmtp traffic analysissocial engineeringsocradarspamsql injectionsql injection attemptsshssh attackssh attacksssh key injectionssh monitoringssh-brute-forcessrfsurface websuricata alertssweep scansynsyn scansystem accesst-pott1005t1016t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1033t1040t1041t1046t1047t1053t1053.005t1055t1056t1056.001t1057t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1068t1069t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1202t1203t1204t1204.002t1210t1486t1495.001t1496t1499.001t1499.002t1499.003t1505.002t1505.004t1550.003t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1583t1587.001t1588t1588.002t1588.004t1589t1589.002t1590t1590.001t1590.004t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner attacktanner eventstanner exploit kittanner honeypot activitytanner interactionstanner logstargeting databasetcptcp protocoltcp scantcp scanningtcp-scantcp-scanningtelecommunicationstelnet attackstelnet threattelnet-brute-forcethreat actorthreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat_intelligencetimeouttokyotor nodetpottpotceudp port scanudp scanudp-scanudp-scanningunattributed threat actorunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized-access-attemptunited kingdomunited statesunited states of americaunknown threat actorusus abuseus nonevalid accountsverified-benignvnc protocolvoipvoip attackvulnerability scanvultrvultr infrastructurevultr ip addressvultr tokyovultr-platformvultr_platform_activityweak credentialswealth managementweb app attackweb application attackweb application attacksweb application fingerprintingweb application scanningweb attackweb attacksweb crawlerweb exploitweb exploitationweb scannerweb server attacksweb shell detectionweb spamweb trafficweb-application-attackweb_applicationweb_attackwinwindowsxmas scanxss

Activity Timeline

1 total obs
Jun 10Jun 10

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
1
Minimal
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
72
SIGNAL
Signal Score
72%
Confidence
37
Reports
First seenJun 28, 2023
Last seenJun 10, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.6951, -121.9000
Proxy

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning Vultr Paris (France) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen today
Appeared in 37 threat reports