IPMediumSignal 54/100
65.49.1.231
Location
United StatesPleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Sep 20, 2023
Last Seen
Jun 17, 2026
Found in 23 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
54%
Signal Score
54 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation
IP Category
⟲
Proxy
Proxy server
Feed Intelligence Summary
23 reports54% confidence
23
Source reports
54%
Confidence score
Category tags
abuseaccess controlaccount compromiseaccount securityactive scanactive scanningadbadb brute forceadbhoney activityadbhoney honeypotadministrative accessagentalertapplication layer protocolaptasiaattackattack attemptattack preparatoryattack source ipattacker ip addressesattacker-ipattacking-ipsaustraliaauthentication attackauthentication attemptsautomated attackautomated attacksautomated threatautomated threatsautomated-attackautomated_attackbad reputationbad web botbankingblacklist candidateblacklist ipbotnetbotnet activitybotnet-activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcebrute_force_attemptbruteforcecanadachinacins activecisco brute forcecisco devicecisco device attackcisco device attackscisco device scanningcisco exploitation attemptscisco logscisco-device-targetingcloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud_infrastructurecode executioncode injectioncommand and controlcommand executioncommand injectioncommand injection attemptcommunication protocolcompromised credentialscompromised hostconpot activityconpot attackconpot honeypotcowriecowrie activitycowrie attackcowrie attackscowrie honeypotcowrie interactionscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcredential accesscredential access attemptscredential attackcredential attackscredential brute forcecredential brute-forcingcredential compromise attemptcredential harvestingcredential stuffingcredential-accesscredential-stuffingcredential_accesscredit card servicescvedata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase probingdatabase securitydcom exploitationddosddos attackddos attacksddos attemptddos reflectiondecoy systemdenial of servicedevice managementdictionary attackdigital oceandigitalocean environmentdigitalocean infrastructuredionaeadionaea activitydionaea attackdionaea attacksdionaea honeypotdionaea interactionsdionaea logsdionaea malware samplesdionaea payloadsdirectory traversal attemptdistributed attacksdnsdns attackdropperdshield blockelasticpot honeypotelasticsearch monitoringencryptionenterprise networkingenumerationet dropeuropeexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit public-facing applicationexploitationexploitation activityexploitation attemptexploitation attemptsexploited hostexternal access attemptsexternal reconnaissanceexternal threatexternal_threatfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefinancefinance and insurancefinancial servicesfinancial technologyfinlandfranceftpftp attacksftp brute forceftp brute-forceftp scanftp scanninggermanyhackingheralding activityhoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshttp brute forcehttp probinghttp scanhttp scannerhttp scanninghttp/shttpsicmpics securityics/scada attackidentity & access exploitationimapinbound scanindicatorindicators of compromiseindicators-of-compromiseindustrial control systemsinformation gatheringinfrastructure reconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial access attemptinitial access vectorinitial_accessinjection activityinjection attacksinternet of thingsinternet-facinginternet-facing assetsinternet-facing serviceinternet-wide observationinternet-wide scaninternet_wide_scanintrusion attemptintrusion detectioniociocsiot botnetiot securityiot targetediot/ics attackip-addressesipv4ipv4 addressesipv4 iocipv4 port scanningipv4 scanningipv4 trafficipv4_activityipv4_addressipv4_indicatorsjapanlamplamp attacklamp exploitation attemptlamp exploitation attemptslamp server attacklamp server targetinglamp stack attacklamp stack targetinglateral movementlcialinux serverslinux systemslinux-server-attacklinux-server-targetinglinux_server_attackslisted sourcelogin attemptlogin_attemptlondonmail protocol abusemailoney activitymailoney attackmailoney eventsmailoney honeypotmailoney interactionsmailoney logsmalicious activitymalicious activity detectedmalicious emailmalicious file transfermalicious infrastructuremalicious ip listmalicious ipv4malicious payloadmalicious payload detectionmalicious scanmalicious softwaremalicious trafficmalicious-login-attemptsmalicious-scanmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware distributionmalware downloadmalware propagationmalware_activitymicrosoft technologiesmirai botnetmobilemobile securitymonthlymssqlnetworknetwork activitynetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-reconnaissancenetwork_activitynetwork_discoverynetwork_enumerationnetwork_reconnaissancenetwork_scanningnorth americaoceaniaopen proxyoperating systemoperating system securityopportunistic attackopportunistic attackeropportunistic-attackp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturesparispassword attackpassword attackspassword crackingpayment processingphishingphishing attackphishing trapphp exploitpingping of deathpolandpoor reputationportport-scanningportscanpossible malware distributionpossible malware propagationpossible mirai variantpotential credential stuffingpotential vulnerability scanprivilege escalationprocess injectionprotoprotocol exploitationprotocol-abuseproxyproxy protocolpublic cloudpublic cloud targetingransomwarerdp attacksrdp scanrdp scanningreconnaissancereconnaissance activityreconnaissance-activitiesredis exploitation attemptsredis honeypotremote accessremote service exploitationremote servicesresearchedresource hijackingrpcsansscanscannerscanner ipscanner ipsscannersscanning activityscanning_activityscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer logsserver exploitationservice discoveryservice enumerationservice probingservice scanservice scanningservice-discoverysftp activitysftp attacksftp attackssftp-attacksftp-brute-forceshadowsever_org-benignsingaporesip attackssip brute forcesip scanningsip-scanningsmtpsmtp attackssmtp brute forcesmtp probingsmtp scansmtp scanningsocial engineeringsocradar honeypotsoftware exploitationspamsql injectionsql injection attemptsshssh attackssh attacksssh monitoringssh scanssh-brute-forcesuricata alertsuricata alertssynsystem accesst-pott1005t1016t1018t1020t1021t1021.001t1021.002t1021.004t1027t1040t1041t1046t1047t1053t1053.005t1055t1059t1059.001t1059.003t1059.004t1059.007t1064t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1202t1203t1204t1204.002t1210t1486t1496t1497.001t1499.001t1499.002t1499.003t1505t1505.002t1550.003t1555t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1583t1588t1589t1590t1590.003t1590.004t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003tannertanner activitytanner eventstanner interactionstanner logstargeting databasetcp protocoltcp scantcp scanningtcp-scantelecommunicationstelnet attackstelnet scantelnet threattelnet-brute-forcethreat actorthreat detectionthreat intelligencethreat intelligence feedthreat preventionthreat-intelligencetor nodetorontotpottpotceudp port scanudp scanudp-scanunauthorized accessunauthorized access attemptunauthorized loginunauthorized-access-attemptunauthorized_access_attemptunited kingdomunited statesunknown actorunknown threat actorusverified-benignvnc protocolvoidtrapvoipvoip attackvoip systemsvulnerability scanvulnerability-scanningvultrvultr infrastructurevultr parisvultr tokyowealth managementweb app attackweb application attackweb application attacksweb application scanningweb attackweb attacksweb exploitweb exploit attemptweb exploitationweb scannerweb server attacksweb serversweb shell attemptweb shell detectionweb spamweb trafficweb-application-attackweb-application-attacksweb_attack
Activity Timeline
Jun 17Jun 17
Threat Activity Heatmap
· Peak: 2026-06-17LessMore
Mon
Wed
Fri
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
54
SIGNAL
Signal Score
54%
Confidence
23
Reports
First seenSep 20, 2023
Last seenJun 17, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.6951, -121.9000
Proxy
VirusTotal
Not checked
WHOIS
- description
- IPv4 hosts detected port scanning Vultr Paris (France) honeypot
- raw
- Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255
- references
- https://github.com/telekom-security/tpotce
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 2 years ago · Last seen 5 days ago
Appeared in 23 threat reports