IOC Radar
IPMediumSignal 47/100

65.49.1.223

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Sep 20, 2023
Last Seen
Jun 13, 2026
Sep 20
First Seen
1007d ago
Jun 13
Last Seen
10d ago
26
Reports
source reports
47%
Confidence
medium
Found in 26 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
47%
Signal Score
47 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

75 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server

Feed Intelligence Summary

26 reports47% confidence
26
Source reports
47%
Confidence score
Category tags
abuseaccess controlaccount compromiseactive scanactive scanningadbhoney activityadbhoney honeypotaptasiaattackattack activityattack attemptattack source ipattacker ipattacker-ipaustraliaauthentication attemptsautomated attackautomated attacksautomated botnet activityautomated-attackautomated_attackbad reputationbad web botbankingblacklist candidateblacklisted ipblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcebrute_force_attackbruteforcecanadachinacisco asa targetedcisco devicecisco device attackcisco exploitation attemptscisco logscisco_device_attackcloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud_infrastructurecode executioncode injectioncode-injectioncommand and controlcommand executioncommand injectioncommand injection attemptcommunication protocolcommunication securitycompromise attemptcompromised credentials attemptcompromised hostconnect scanconpot activityconpot honeypotconpot ics attackcowriecowrie activitycowrie attackscowrie honeypotcowrie interactionscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcredential accesscredential access attemptscredential attackcredential attackscredential brute-forcingcredential guessingcredential harvestingcredential stuffingcredential-stuffingcredential_accesscredential_attackcredential_stuffingcredit card servicesdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase exploitation attemptsdatabase probingdatabase securitydatabase_serverdcom exploitationddosddos attackddos attacksddos attemptdecoy systemdenial of servicedevice managementdictionary_attackdigital oceandigitalocean ipdigitalocean ipsdionaeadionaea activitydionaea attacksdionaea capturedionaea honeypotdionaea interactionsdionaea logsdionaea malware detectiondionaea malware samplesdionaea payloadsdirectory traversal attemptdistributed attacksdnsdns attackelasticpot honeypotelasticsearch monitoringencryptionenterprise networkingenumerationeuropeexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploitationexploitation activityexploitation attemptexploitation attemptsexploitation_attemptexploited hostexternal threatexternal_threatfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin scanfinancefinance and insurancefinancial servicesfinancial technologyfinlandfranceftpftp attacksftp brute forceftp brute-forceftp scanftp scanninggermanyhackinghoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshttp attackhttp brute forcehttp probinghttp scanhttp scannerhttp scanninghttp/shttpsicmpics securityidentity & access exploitationimapinbound scanindicatorindicators of compromiseindustrial control systemsinformation gatheringinfrastructure scanninginitial accessinitial-accessinitial_accessinitial_access_attemptinjection activityinjection attacksinternet facing systemsinternet of thingsinternet-facinginternet-scanninginternet-wide monitoringinternet-wide observationinternet-wide scaninternet_wide_scanintrusion attemptintrusion attemptsintrusion detectioniociot attackiot botnetiot securityiot targetediot/ics attackiot_attackipphoney honeypotipv4ipv4 activityipv4 addressesipv4 threatsipv4-scanningipv4_activityipv4_addressipv4_indicatorsjapankfsensor honeypotlamplamp attacklamp exploit attemptslamp exploitation attemptslamp server attacklamp stacklamp stack attacklamp stack targetinglamp_stack_attacklateral movementlcialinux-server-attacklogin attemptlogin attemptsmail protocol abusemailoney activitymailoney email spoofingmailoney eventsmailoney honeypotmailoney interactionsmailoney logsmalicious activitymalicious activity detectedmalicious file transfermalicious infrastructuremalicious ip listmalicious ipsmalicious scanmalicious softwaremalicious trafficmalicious-ipmalicious-login-attemptsmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware downloadmalware propagationmalware scanningmass-scanningmelbourne regionmicrosoft technologiesmirai botnetmonthlynetworknetwork activitynetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service discoverynetwork service scanningnetwork traffic analysisnetwork-servicenetwork_discoverynetwork_probingnetwork_reconnaissancenetwork_scanningnetworkscanningnorth americanull scanoceaniaopen proxyopenctip0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturesparispassword attackpassword attackspassword sprayingpassword_attackpayment processingphishingphishing attackphishing trapping of deathpolandport-scanningportscanpossible credential stuffingpossible malware distributionpossible malware heraldingpossible malware propagationpossible mirai variantpotential lateral movementpotential malware distributionpotential malware uploadpotential threat actorpre-attackprivilege escalationprobingprocess injectionprotocol exploitationprotocol-abuseproxypublic cloud targetingransomwarerdp scanrdp scanningreconnaissanceredis exploitationredis honeypotremote accessremote access attackremote service exploitationremote servicesremote_access_serviceresearchedresource hijackingrpcsansscanscannerscanner ipscannersscanningscanning activityscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer logssentrypeer p2p attackserver exploitationservice enumerationservice scanservice_enumerationsftpsftp access attemptsftp activitysftp attacksftp attemptsftp probingsftp scanningsftp-attackshadowsever_org-benignsingaporesip attackssip brute forcesip scanningsmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scansmtp scanningsocial engineeringsocradar honeypotsoftware exploitationspamsql injectionsql injection attemptsql injection attemptssql-injectionsshssh attackssh attacksssh brute-forcessh monitoringssh scanssh-brute-forcesuricata alertsuricata alertssynsyn scansyn_scansystem accesssystem discoveryt-pott1005t1016t1018t1020t1021t1021.001t1021.002t1021.004t1027t1033t1040t1041t1046t1047t1053t1055t1057t1059t1059.003t1059.004t1059.007t1068t1070.004t1071t1071.001t1076t1077t1078t1078.001t1078.004t1082t1083t1087t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204t1204.002t1210t1486t1496t1499.001t1499.002t1499.003t1505t1505.002t1555t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1583t1588t1589t1590t1590.005t1592t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner interactionstanner logstanner web attacktargeting databasetcp protocoltcp scantcp scanningtelecommunicationstelnet scantelnet threattelnet-brute-forcethreat actorthreat detectionthreat intelligencethreat intelligence feedthreat preventionthreat-intel-feedthreat_discoverytor nodetpotudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized-access-attemptunited kingdomunited statesunknown actorunknown threat actorusverified-benignvnc protocolvoidtrapvoipvoip attackvulnerability scanvulnerability-scanningvultrvultr infrastructurevultr infrastructure targetedvultr pariswealth managementweb app attackweb application attackweb application attacksweb application scanningweb attackweb attacksweb exploitweb exploitationweb scannerweb shell attemptweb shell detectionweb shell uploadsweb spamweb trafficweb-application-attackweb-attackweb_attackweb_serverwebscanwebscannerxmas scanxmas_scan

Activity Timeline

1 total obs
Jun 13Jun 13

Threat Activity Heatmap

· Peak: 2026-06-13
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
47
SIGNAL
Signal Score
47%
Confidence
26
Reports
First seenSep 20, 2023
Last seenJun 13, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.7510, -97.8220
Proxy

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255
references
https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-20/, https://jamesbrine.com.au, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-20/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-21/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-03-21/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-19/, https://voidvendor.com/intel, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-17/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-17/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-17/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-03-18/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-18/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-16/, https://jamesbrine.com.au/bruteforce-ip-list-2026-03-15/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-15/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-15/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-13/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-03-14/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-14/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-14/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-13/, https://github.com/telekom-security/tpotce, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-11/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-11/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-11/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-12/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-11/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-11/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-10/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-10/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-09/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-09/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-08/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-03-09/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-09/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-09/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-03-08/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-07/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-07/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-06/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-06/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-06/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-07/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen 10 days ago
Appeared in 26 threat reports