IOC Radar
IPMediumSignal 44/100

65.49.1.215

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Sep 20, 2023
Last Seen
Jun 3, 2026
Sep 20
First Seen
995d ago
Jun 3
Last Seen
9d ago
26
Reports
source reports
44%
Confidence
medium
Found in 26 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
44%
Signal Score
44 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

73 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server

Feed Intelligence Summary

26 reports44% confidence
26
Source reports
44%
Confidence score
Category tags
abuseaccess controlaccount compromiseactive scanactive scanningadbadbhoney alertsadbhoney honeypotandroidandroid device attacksaptasiaasset discoveryattackattack activityattack preparatoryattack source ipattacker ipattacker-ipaustraliaauthentication abuseauthentication attemptsautomated attackautomated attacksautomated enumerationautomated reconnaissance activityautomated threatautomated-attackautomated_attackbad reputationbad web botblacklist candidateblacklist ipblacklisted ipblacklisted ip addressblocklist_allblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcebrute_force_attackbruteforcecanadachinacisco devicecisco device targetingcisco exploitation attemptcisco exploitation attemptsclosecloud environmentcloud infrastructurecloud infrastructure attackcloud servicescode executioncode injectioncommand and controlcommand executioncommand injectioncommunication protocolcommunication securitycompromised credentialscompromised hostcompromised host detectioncompromised system detectionconfiguration manipulationconfiguration modificationconpot activityconpot honeypotcowriecowrie activitycowrie honeypotcowrie interactioncowrie interactionscowrie ssh attackscowrie ssh honeypotcowrie ssh logscredential accesscredential attackcredential attackscredential brute forcecredential guessingcredential harvestingcredential stuffingcredential-accesscredential-stuffingcredential_accesscron injectioncvedata encryptiondata exfiltrationdata harvesting attemptsdata store exposuredatabase attackdatabase attacksdatabase exploitation attemptsdatabase probingdatabase securityddosddos attackddos attacksddos attemptddos probedecoy systemdenial of servicedevice managementdictionary attackdigital oceandigitalocean environmentdionaeadionaea activitydionaea capturedionaea detectiondionaea honeypotdionaea interactionsdionaea malware collectiondionaea malware samplesdionaea payloadsdistributed attacksdnsdns attackdropperelasticpot honeypotelasticsearch monitoringencryptionenterprise networkingenumerationeuropeexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit_attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexternal access attemptsexternal threatexternal_threatfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefinlandfranceftpftp attackftp attacksftp brute forceftp brute-forceftp scanninggeckogermanyhackinghellohoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttp/httpshttp/shttpsicmpicsics securityics/scada attacksidentity & access exploitationimapinbound scanindicatorindicators of compromiseindustrial control systemsinitial accessinitial access vectorinitial_accessinjection activityinjection attacksintel macinternet exposedinternet facing assetinternet of thingsinternet-facinginternet-facing assetsinternet-wide scanintrusion detectioniociot attackiot botnetiot deviceiot securityiot targetediot/ics attackipv4ipv4 scanningipv4_addressjapankhtmllamplamp server attacklamp server targetinglamp stack attacklamp stack attackslamp stack targetinglateral movementlateral movement techniqueslcialinux malwarelinux serverlinux serverslinux systemslinux targetslinux x8664linux-server-attacklogin attemptlogin attemptsmail protocol abusemailoney activitymailoney eventsmailoney honeypotmailoney interactionsmalicious activitymalicious file transfermalicious ipmalicious ip addressesmalicious ip listmalicious payloadmalicious payload detectionmalicious scanmalicious softwaremalicious ssh activitymalicious trafficmalicious-login-attemptsmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware distribution attemptmalware installationmalware propagationmalware scanningmiraimirai botnetmobilemobile securitymobile threatmodbus attacksmodule loadingmonthlymssqlnetworknetwork attacksnetwork devicenetwork device attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptsnetwork intrusion detectionnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-reconnaissancenetwork_devicenetwork_reconnaissancenetwork_scannetwork_scanningnorth americaoceaniaopen proxyopenctios fingerprintingos xp0fp0f network fingerprintingp0f signaturespassword attackpassword attacksperimeter securityphishingphishing attackphishing trapping of deathpolandport-scanningportscanpossible botnet activitypossible exploit attemptpossible malware activitypossible malware propagationpossible mirai variantpotential exploit activitypotential exploit attemptspotential intrusionpotential malicious activitypotential malware distributionpotential threat actorprocess injectionprotocol exploitationprotocol-abuseproxyproxy protocolransomwarercerdp attacksreconnaissancereconnaissance activityredis exploitationredis honeypotremote accessremote access abuseremote access attackremote servicesreplication attackresearchedresource hijackings7comm attackssansscanscannerscanner detectionscanner ipsscannersscanning activityscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionsserver exploitationserver securityservice enumerationservice probingservice scanservice scanningsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp-attackshadowsever_org-benignsingaporesip attackssip brute forcesip scansip scanningslaveofsmb attackssmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scanningsocial engineeringsocradar honeypotspamsql injectionsql injection attemptsql injection attemptssshssh attackssh attacksssh key injectionssh monitoringssh-brute-forcesuricata alertssystem accesst-pott1005t1016t1018t1020t1021t1021.001t1021.002t1021.004t1040t1041t1046t1053t1055t1059t1059.003t1059.004t1059.005t1059.007t1064t1068t1071t1071.001t1076t1077t1078t1083t1087t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204.002t1210t1486t1496t1497t1499.001t1499.002t1499.003t1505.002t1505.003t1505.004t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1583t1588t1589t1590t1590.002t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner interactionstargeting databasetcptcp protocoltcp scantelecommunicationstelnettelnet attackstelnet threattelnet-brute-forcethreat actorthreat actor: unknownthreat detectionthreat intelligencethreat intelligence feedthreat preventionthreat_intelligencetor nodetpottpotceubuntuudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized loginunauthorized probingunauthorized-access-attemptunited kingdomunited statesunix targetsunknown threat actorunusual network trafficusvalid accountsverified-benignvnc protocolvoidtrapvoipvoip attackvulnerability scanvultrvultr infrastructurevultr_platform_activityweb app attackweb application attackweb application attacksweb application scanweb application scanningweb attackweb attacksweb crawling detectionweb exploitweb exploitationweb serverweb server attacksweb shell detectionweb spamweb trafficweb-application-attackweb_applicationwindows nt

Activity Timeline

1 total obs
Jun 3Jun 3

Threat Activity Heatmap

· Peak: 2026-06-03
Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
44
SIGNAL
Signal Score
44%
Confidence
26
Reports
First seenSep 20, 2023
Last seenJun 3, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.7510, -97.8220
Proxy

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning DigitalOcean Toronto (CA) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255
references
https://github.com/telekom-security/tpotce, https://chiraba.com:8443/hourly

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 9 days ago
Appeared in 26 threat reports