IOC Radar
IPMediumSignal 55/100

65.49.1.193

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Sep 20, 2023
Last Seen
Jun 7, 2026
Sep 20
First Seen
994d ago
Jun 7
Last Seen
4d ago
27
Reports
source reports
55%
Confidence
medium
8/91
VirusTotal
detections
Found in 27 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
55%
Signal Score
55 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

86 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server
VPN
VPN exit node

Feed Intelligence Summary

27 reports55% confidence
27
Source reports
55%
Confidence score
Category tags
abuseaccess controlaccount compromiseaccount securityactive scanactive scanningadbadb brute forceadb protocoladb-attacksadbhoney honeypotadministrative accessagentalertaptasiaasset discoveryattackattack source ipattack surface discoveryattacker ip addressesattacker-ipaustraliaauthentication attemptsauthentication failureautomated attackautomated attack activityautomated attack campaignsautomated attacksautomated threatautomated-attackbad ip'sbad reputationbad web botblacklist candidateblacklist ipblog spambotnetbotnet activitybotnet-activitybrutebrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptsbrute-forcebrute-force attackbrute_forcebrute_force_attackbrute_force_attemptbruteforcec2 communicationcanadachinacins activecisco asacisco asa targetscisco devicecisco device targetingcisco exploitationcisco exploitation attemptcisco exploitation attemptscisco logscisco network devicescloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud-infrastructurecode executioncommand & controlcommand and controlcommand executioncommand injectioncommon vulnerabilitiescommunication protocolcompromised credentialscompromised hostconnect scanconnected devicesconpot honeypotcontainer securitycowriecowrie attackscowrie honeypotcowrie honeypot detectioncowrie interactioncowrie interactionscowrie login attemptscowrie logscowrie ssh attackcowrie ssh honeypotcredential accesscredential attackcredential attackscredential brute forcecredential guessingcredential harvestingcredential stuffingcredential-accesscredential-bruteforcingcredential-stuffingcredential_accesscurldata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase login attemptdatabase probingdatabase securitydatabase serverdatabase-serverdcerpcdcom exploitationddosddos attackddos attack indicatorsddos attacksddos attemptddos probeddospotdecoy systemdenial of servicedevice managementdictionary attackdigital oceandigitalocean environmentdionaeadionaea activitydionaea attacksdionaea honeypotdionaea interactionsdionaea logsdionaea malware collectiondionaea payloadsdistributed attackdistributed attacksdnp3dnsdns attackdockerdropperdshield blockelasticpot honeypotelasticsearchelasticsearch monitoringencryptionenterprise networkingenumerationet dropeuropeexfiltrationexploitexploit attemptsexploit kit activityexploit probingexploit targetingexploit-attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilityexploited hostexposed servicesexternal access attemptsexternal attackersexternal threatexternal-threatexternal_threatextortionfattfatt analysisfatt detectionsfatt signaturesfin scanfinlandfirewall eventfranceftpftp attackftp attacksftp brute forceftp scanningftp_brute_forceftp_scangalahgermanygluttongopothackinghellpothoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap honeypothoneytrap interactionshttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttp/httpshttp/shttp_scanhttpshydraicmpics securityics-scada-attacksics/scadaidentity & access exploitationimapimap activityinbound scanindicatorindicators of compromiseindustrial control systemsindustrial iotinfrastructure reconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial access vectorinitial-access-attemptsinjection activityinjection attacksinternet background noiseinternet exposedinternet of thingsinternet scaninternet wide scaninternet-facinginternet-facing assetsinternet-wide monitoringinternet-wide observationinternet-wide scaninternet_scaninternet_scannersinternet_wide_scanintrusion detectioniociocsiot analyticsiot applicationsiot botnetiot deviceiot device attackiot platformsiot securityiot targetediot/ics attackip-address-iocip-addressesippipphoney honeypotipv4ipv4 addressipv4 addressesipv4 port scanningipv4 threatsipv4 trafficipv4-addressesipv4_addressipv4_scanningjapankibanalamplamp attacklamp exploitationlamp exploitation attemptslamp server attacklamp server targetinglamp stacklamp stack attacklamp stack exploitationlamp stack targetedlamp stack targetinglateral movementlcialinux serverlinux serverslinux systemslinux targetslinux-server-attacklinux-systemlisted sourcelog4potlogin attacklogin attemptlogin attemptslondonmail protocol abusemailoney activitymailoney eventsmailoney honeypotmailoney interactionsmailoney logsmalicious activitymalicious activity detectedmalicious infrastructuremalicious ipmalicious ip listmalicious ipsmalicious login attemptsmalicious network activitymalicious payload attemptmalicious payload detectionmalicious scanmalicious softwaremalicious ssh activitymalicious trafficmalicious-login-attemptsmalicious-scanmalwaremalware activitymalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware distributionmalware downloadmalware droppermalware landingmass scanningmasscanmedpotmicrosoft technologiesmiraimirai botnetmobilemobile securitymodbusmonthlymssqlnetworknetwork activitynetwork attacksnetwork devicenetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork scanning activitynetwork securitynetwork service discoverynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-devicenetwork-reconnaissancenetwork_discoverynetwork_intrusionnetwork_reconnaissancenetwork_scannetwork_scanningnetworkscanningnmapnorth americanull scanoceaniaopen port detectionopen proxyopen_port_discoveryopenctioperating systemoperating system securityopportunistic-attackp0fp0f os fingerprintingp0f signaturesparispassword attackpassword attackspassword crackingpassword sprayingphishingphishing attackphishing trappingping of deathpolandpoor reputationportport-scanningportscanpossible botnet activitypossible exploit attemptpossible malware distributionpossible malware propagationpossible mirai variantpotential credential compromisepotential exploitpotential exploit activitypotential malicious activitypotential threat actorpotential vulnerability probingpotential vulnerability scanprivilege escalationprocess injectionprotoprotocol exploitationprotocol-abuseprotocol_enumerationproxyproxy accessproxy protocolpublic cloudpublic cloud targetingpublic ip addressransomwareransomware activityrdp attacksrdp scanningrdp_scanreconnaissancereconnaissance activityredis exploitation attemptsredis honeypotremote accessremote access attackremote servicesremote_accessresearchedresource hijackingrpcsansscanscannerscanner ipscanner ipsscannersscanning activityscanning_activityscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer logsserver exploitationservice discoveryservice enumerationservice probingservice scanservice scanningservice-discoveryservice_enumerationsftp access attemptsftp activitysftp attacksftp attackssftp attemptsftp probingsftp-attacksftp-attacksshadowsever_org-benignshell accessshell access attemptsingaporesip attackssip brute forcesip scansip scanningsip-attackssip_attacksippsmart devicessmtpsmtp activitysmtp attacksmtp attackersmtp attackssmtp brute forcesmtp probingsmtp scanningsnaresocial engineeringsocradar honeypotsoftware exploitationspamsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh monitoringssh-attacksssh-brute-forcessh_brute_forcessh_scansuricata alertsuricata alertssynsyn scansystem disruptiont-pott1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1047t1053t1055t1059t1059.001t1059.003t1059.004t1059.007t1064t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1088t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1203t1204t1204.002t1210t1486t1490t1496t1499.001t1499.002t1499.003t1505.002t1550t1550.002t1550.003t1555t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1583t1588t1588.002t1588.004t1588.006t1589t1589.002t1590t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner exploitationtanner interactionstanner logstargeting databasetcptcp protocoltcp scantcp scanningtcp-scantcp_scantelecommunicationstelnet attackstelnet threattelnet-brute-forcethreat actorthreat detectionthreat intelligencethreat intelligence feedthreat preventionthreat_actor_unknownthreat_intelligencetor nodetorontotpotudp port scanudp scanudp-scanudp_scanunattributed activityunattributed threat activityunauthenticated accessunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized activityunauthorized loginunauthorized login attemptunauthorized probingunauthorized-access-attemptunited kingdomunited statesunited states of americaunix targetsunknown threat actorusus ip addressvalid accountsverified-benignvnc protocolvoipvoip attackvpnvpn ipvulnerability scanvultrvultr infrastructurevultr tokyoweak credentialsweb app attackweb applicationweb application attackweb application attacksweb application scanweb application scanningweb attackweb attacksweb exploitationweb login attemptweb serverweb server attacksweb shellweb shell uploadweb spamweb trafficweb-application-attackweb-serverwgetwordpotxmas scan

Activity Timeline

1 total obs
Jun 7Jun 7

Threat Activity Heatmap

· Peak: 2026-06-07
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
55
SIGNAL
Signal Score
55%
Confidence
27
Reports
First seenSep 20, 2023
Last seenJun 7, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.6951, -121.9000
ProxyVPN

VirusTotal

8/ 91vendors flagged
9% detection rateJun 8, 2026

WHOIS

description
IPv4 hosts detected port scanning Vultr Tokyo (Japan) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255
references
https://github.com/telekom-security/tpotce, https://raw.githubusercontent.com/ahamed-rizvan/IOCs/refs/heads/main/Malicous%20IP%20Address.txt

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 4 days ago
Appeared in 27 threat reports