IPMediumSignal 60/100
65.49.1.208
Location
United StatesPleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Sep 20, 2023
Last Seen
Jun 3, 2026
Found in 26 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
60%
Signal Score
60 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation
IP Category
⟲
Proxy
Proxy server
Feed Intelligence Summary
26 reports60% confidence
26
Source reports
60%
Confidence score
Category tags
abuseaccess attemptsaccess controlaccount compromiseaccount securityackactive reconnaissanceactive scanactive scanningadbhoney activityadbhoney alertsadbhoney honeypotadministrative accessapplication layer protocolaptasiaattackattack activityattack surface discoveryattacker-ipaustraliaauthentication abuseauthentication attackauthentication attacksauthentication attemptsautomated attackautomated attacksautomated-attackbad reputationbad web botbankingblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebrute_force_attackbruteforcecanadachinacisco asacisco brute forcecisco devicecisco device attackcisco device targetingcisco exploitationcisco exploitation attemptcisco exploitation attemptscloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud_infrastructurecode executioncommand and controlcommand executioncommand injectioncommand injection attemptcommunication protocolcompromised credentialscompromised hostconnect scanconpot activityconpot honeypotconpot ics attacksconpot ics exploitationcowriecowrie activitycowrie attackcowrie attackscowrie honeypotcowrie honeypot detectioncowrie interactioncowrie interactionscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh logscredential accesscredential attackcredential attackscredential brute forcecredential brute-forcingcredential compromisecredential compromise attemptcredential guessingcredential harvestingcredential stuffingcredential-accesscredential-stuffingcredentialaccesscredit card servicescvecyberattackdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase exploitation attemptsdatabase securitydcom exploitationddosddos attackddos attack indicatorsddos attacksdecoy systemdenial of servicedevice managementdictionary attackdigital oceandigitalocean infrastructuredionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea detectiondionaea honeypotdionaea interactionsdionaea malwaredionaea malware analysisdionaea malware collectiondionaea payloadsdirectory traversal attemptdistributed attacksdnsdns attackelasticpot attackselasticpot dataelasticpot honeypotelasticsearch monitoringencryptionenterprise networkingenumerationeuropeexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit public-facing applicationexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilitiesexploited hostexternal attackexternal reconnaissanceexternal scanningexternal threatexternal-scanningexternal-threatexternal_threatfail2ban alertfail2ban triggeredfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfin scanfinancefinance and insurancefinancial servicesfinancial technologyfinlandfranceftpftp attacksftp attemptftp brute forceftp brute-forceftp scanningftp_scangermanyhackingheralding activityheralding probesheralding protocol abusehoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap honeypothoneytrap interactionshong konghttp brute forcehttp probinghttp scannerhttp scanninghttp_scanhttpsics securityidentity & access exploitationimapinbound scanindicatorindicators of compromiseindustrial control systemsinformation gatheringinfrastructure reconnaissanceinfrastructure scanninginitial accessinitial access attemptinitial_accessinitial_access_attemptinjection activityinjection attacksinternet facing assetinternet of thingsinternet-facinginternet-facing assetsinternet-facing serviceinternet-scanninginternet-wide observationinternet_wide_scanintrusion attemptintrusion detectioniocioc.ipiocsiot attackiot botnetiot securityiot targetediot/ics attackipphoney honeypotipv4ipv4 activityipv4 addressesipv4 indicatorsipv4 iocipv4 port scanningipv4 scanningipv4 trafficipv4-iocipv4-scanningipv4_addressipv4_scanningjapankill-chain exploitationkill-chain reconnaissanceknown malicious iplamplamp attacklamp exploitation attemptlamp exploitation attemptslamp server attacklamp server targetinglamp stack attacklamp stack attackslamp stack targetedlamp stack targetinglamp vulnerability scanlateral movementlateral movement techniqueslcialinux-server-attacklinux_server_attackslogin attacklogin attemptlogin attemptslogin_attemptloginattacklondonlow-riskmailoney activitymailoney attackmailoney eventsmailoney honeypotmailoney interactionsmalicious activitymalicious activity detectedmalicious email detectionmalicious infrastructuremalicious ip addressesmalicious ip detectedmalicious ip listmalicious ipsmalicious network activitymalicious payloadmalicious payload detectionmalicious scanmalicious sip activitymalicious softwaremalicious ssh activitymalicious trafficmalicious-login-attemptsmalicious-scanmalwaremalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware downloadmalware propagationmalware scanningmalware_activitymass-scanningmelbourne regionmicrosoft technologiesmirai botnetmonthlymssqlmysql brute forcenetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork layer protocolnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-discoverynetwork-reconnaissancenetwork_activitynetwork_enumerationnetwork_reconnaissancenetwork_scannetwork_scanningnetworkscanningnorth americanull scanoceaniaopen port detectionopen proxyopenctioperating systemoperating system securityosintp0fp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword crackingpayment processingphishingphishing attackphishing trapping of deathpolandport-scanningportscanpossible botnet activitypossible exploit attemptpossible malware distributionpossible malware dropperpossible mirai variantpotential credential stuffingpotential exploitpotential exploit activitypotential exploit attemptspotential intrusionpotential malicious activitypotential malware downloadpotential malware infectionpotential vulnerability probingpotential vulnerability scanpre-attackprivilege escalationprobingprocess injectionprotocol exploitationprotocol-abuseproxypublic cloud targetingransomwareransomware activityrdprdp attacksrdp scanningrdp_scanreconnaissanceredis brute forceredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityremote accessremote servicesresearchedresource hijackingrpcsansscanscannerscanner ipscannersscanningscanning activityscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionsserver exploitationservice discoveryservice enumerationservice probingservice scanservice-discoverysftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp intrusion attemptsftp scanningsftp-attackshadowsever_org-benignsip attackssip brute forcesip scanningsip vulnerability scansmtpsmtp attackssmtp brute forcesmtp probingsocial engineeringsocradar honeypotsoftware exploitationspamsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh monitoringssh-brute-forcessh_scansuricata alertssynsyn scansystem accesst-pott1018t1021t1021.001t1021.002t1021.004t1027t1040t1041t1046t1047t1053t1053.005t1055t1059t1059.003t1059.004t1059.005t1059.007t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1088t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1199t1203t1204.002t1210t1486t1496t1497t1499.001t1499.002t1499.003t1505t1505.002t1505.004t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1583t1588t1589t1590t1590.002t1590.004t1590.005t1592t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner exploit kittanner honeypot activitytanner http honeypottanner interactionstargeting databasetcp protocoltcp scantcp scanningtcp-scantcp-scanningtelecommunicationstelnet attackstelnet scanningtelnet threattelnet-brute-forcethreat actorthreat actor: unknownthreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat-intelligencethreat_actor_unknownthreat_intelligencetokyotor nodetpotudp port scanudp scanudp-scanudp-scanningunattributed activityunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized activityunauthorized loginunauthorized-access-attemptunauthorized_access_attemptunited kingdomunited statesunknown threat actorusvalid accountsverified-benignvnc protocolvoidtrapvoipvoip attackvulnerability scanvulnerability-scanningvultrvultr cloud infrastructurevultr infrastructurevultr infrastructure targetedvultr ip addressvultr parisvultr tokyovultr-platformwealth managementweb app attackweb application attackweb application attacksweb application scanningweb attackweb attacksweb brute forceweb exploitweb exploitationweb scannerweb shell attemptweb spamweb trafficweb-application-attackweb_attackwebscanwebscannerxmas scan
Activity Timeline
Jun 3Jun 3
Threat Activity Heatmap
· Peak: 2026-06-03LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
60
SIGNAL
Signal Score
60%
Confidence
26
Reports
First seenSep 20, 2023
Last seenJun 3, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.7510, -97.8220
Proxy
VirusTotal
Not checked
WHOIS
- description
- IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
- raw
- Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255
- references
- https://voidvendor.com/intel, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-05-05/, https://jamesbrine.com.au, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-05-05/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-05-05/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-05/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-05/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-04/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-05-03/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-05-03/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-05-03/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-03/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-01/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-05-01/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-30/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-29/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-29/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-29/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-30/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-30/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-28/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-28/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-27/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-27/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-27/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-28/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-28/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-26/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-26/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-27/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-27/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-27/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-25/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-25/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-26/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-26/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-26/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-03-25/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-25/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-25/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-24/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-23/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-24/
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 2 years ago · Last seen 9 days ago
Appeared in 26 threat reports