IOC Radar
IPMediumSignal 61/100

65.49.1.53

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Jan 20, 2021
Last Seen
Jun 11, 2026
Jan 20
First Seen
1968d ago
Jun 11
Last Seen
yesterday
37
Reports
source reports
61%
Confidence
medium
Found in 37 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
61%
Signal Score
61 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

94 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server

Feed Intelligence Summary

37 reports61% confidence
37
Source reports
61%
Confidence score
Category tags
abuseaccessaccess attemptaccess attemptsaccess controlaccount compromiseaccount securityactive scanactive scanningadb scanningadbhoney activityadbhoney attacksadbhoney exploitsadbhoney honeypotadbhoney interactionsadminadministrative accessapacheapache attackerapplication layer protocolapplication reconnaissanceaptasiaattachment phishingattackattack activityattacker ipattacker-ipaustraliaauthenticationauthentication abuseauthentication attacksauthentication attemptsautomated attackautomated attack campaignsautomated attacksautomated emailautomated threatautomated-attackbad reputationbad web botbankingbase64base64 encodingbecbeningbening scannerblacklist ipblock listbotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptsbrute-forcebrute-force-attackbrute_forcebrute_force_attackbruteforcebulk emailc2canadacertchina mobilecisco asacisco asa targetscisco attackcisco devicecisco device attackcisco device targetingcisco exploit attemptcisco exploit attemptscisco exploitation attemptcisco exploitation attemptscisco_exploitcitrix enumeration attemptscitrix exploitation attemptcitrix securitycloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud-infrastructurecloud_infrastructurecms detectioncode executioncode injectioncode-injectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised systemsconnect scanconnected devicesconpotconpot activityconpot attackconpot attacksconpot exploitation attemptsconpot honeypotconpot ics attacksconpot ics exploitationconpot interactionscowriecowrie activitycowrie attackcowrie attackscowrie honeypotcowrie interactioncowrie interactionscowrie ssh attackscowrie ssh honeypotcowrie ssh loginscowrie_attackcredential accesscredential attackcredential attackscredential brute forcecredential guessingcredential harvestingcredential phishingcredential stuffingcredential-harvestingcredential-stuffingcredential_accesscredit card servicescross-site scriptingdata encryptiondata exfiltrationdata harvestingdata store exposuredatabase attackdatabase attacksdatabase probingdatabase scandatabase securitydcom exploitationddosddos attackddos attack indicatorsddos attacksddos probeddos reflectiondecoy systemdenial of servicedevice managementdigital oceandigitalocean environmentdigitalocean ipsdionaeadionaea activitydionaea attacksdionaea honeypotdionaea interactiondionaea interactionsdionaea malware analysisdionaea malware collectiondionaea payloadsdirectory bruteforcingdirectory enumerationdirectory traversaldistributed attacksdnsdns attackelasticpot activityelasticpot attackselasticpot honeypotelasticsearch monitoringemailencryptionenterprise networkingenterprise securityenumerationenv-huntingeuropeexploitexploit attemptexploit attemptsexploit kit activityexploit kitsexploit probingexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexternal access attemptsexternal attackersexternal threatexternal-threatexternal_threatfail2ban alertfail2ban triggeredfailed loginfattfatt analysisfatt detectionsfatt signaturesfin port scanfin scanfinancefinancial servicesfinancial technologyfingerprintingfinlandfirewall eventfrancefraud voipftpftp attackftp attacksftp brute forceftp brute-forceftp_scangermanygithubgroupshackingheralding activityheralding attacksheralding probeshk abusehandlerhoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttp/shttp_scanhttpsics securityidentity & access exploitationimap brute forceinbound scanindustrial control systemsindustrial iotinformation gatheringinfrastructure acquisitionreconnaissanceinitial accessinitial access attemptinitial access vectorinitial-accessinitial_accessinjection activityinjection attacksinput validationinput validation bypassinternet of thingsinternet-facinginternet-facing serviceinternet-wide scaninternet_scaninternet_wide_scanintrusion detectioniociot analyticsiot applicationsiot botnetiot exploit attemptsiot platformsiot securityiot targetediot/ics attackipmi scanningipphoney activityipphoney honeypotipv4ipv4 activityipv4 scanningipv4-addressesipv4_scanningjapankfsensor honeypotlamplamp attacklamp attackslamp exploitlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp stack attacklamp stack exploitationlamp stack targetinglamp vulnerability scanninglamp_exploitlateral movementlateral movement attemptlcialfilinux serverslinux systemslinux-server-attacklinux_server_attacksload balancerlogin attacklogin attemptlogin attemptsmailoney activitymailoney eventsmailoney honeypotmailoney interactionsmailoney trafficmalicious activitymalicious activity detectedmalicious emailmalicious ipmalicious ip activitymalicious network activitymalicious payloadmalicious payload detectionmalicious scanmalicious softwaremalicious trafficmalicious-activitymalicious-ipmalicious-login-attemptsmalwaremalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware distribution attemptmalware landingmalware propagationmalware_activitymanualmass scanningmicrosoft technologiesmiraimirai botnetnetworknetwork activitynetwork attacksnetwork devicenetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service discoverynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-devicesnetwork-reconnaissancenetwork-servicenetwork_enumerationnetwork_reconnaissancenetwork_scannetworkscanningnginxnorth americanull port scannull scanoceaniaopen port detectionopen proxyopen_port_discoveryoperating systemoperating system securityos credential dumpingowaspp0fp0f signaturesparispasswordpassword attackpassword attackspassword crackingpassword cracking attemptspassword theftpassword-guessingpath traversalpayment fraudpayment processingperimeter securitypgp signphishingphishing attackphishing campaignphishing trapping of deathpolandport-scanningportscanpossible botnet activitypossible credential reusepossible exploit attemptpossible malware distributionpossible malware infectionpossible mirai variantpotential botnet activitypotential credential compromisepotential exploit activitypotential malicious activitypotential malware deploymentpotential malware distributionpotential vulnerability scanprice requestprice request scamprivilege escalationprocess injectionprotocol exploitationprotocol-abuseproxyproxy protocolpublic ip addresspythonransomwareransomware activityrdprdp_scanreconnaissancereconnaissance activityredis exploitation attemptredis exploitation attemptsredis honeypotredishoneypot activityremote accessremote access attemptsremote file inclusionremote servicesresearchedresource hijackingrfirpcsansscams & fraudscanscannerscanner ipsscannersscanning activityschedule themescheduled task abusescriptscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer sip attacksserver exploitationserver securityservice discoveryservice enumerationservice scanservice scanningservice_enumerationsftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp exploitation attemptssftp traffic analysissftp-attacksftp_attackshadowsever_org-benignshell access attemptssingaporesip attackssip brute forcesip scansip scanningsip vulnerability scansip_attackslugsmart devicessmb scanningsmtpsmtp attackssmtp brute forcesmtp probesmtp probingsmtp scanningsmtp traffic analysissocial engineeringsocradarspamsql injectionsql injection attemptsql injection attemptssql-injectionsshssh attackssh attacksssh monitoringssh-brute-forcessh_bruteforcessh_scanssrfsurface websuricata alertssynsyn port scansyn scansystem accesssystem discoveryt-pott1003t1003.001t1016t1016.001t1018t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1040t1041t1046t1047t1048t1048.003t1053t1053.005t1055t1056t1056.001t1059t1059.001t1059.003t1059.004t1059.007t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1088t1110t1110.001t1110.002t1110.003t1110.004t1132t1133t1187t1189t1190t1192t1199t1203t1204t1204.002t1210t1486t1490t1495.001t1496t1499.001t1499.002t1499.003t1505.002t1550t1550.002t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1583t1587.001t1588t1589t1590t1590.001t1590.005t1590.006t1592t1592.002t1595t1595.001t1595.002t1595.003t1598t1598.003t1608tannertanner activitytanner attackstanner eventstanner exploit kittanner honeypot activitytanner interactionstargeting databasetariff server compromisetariff server themetariffs servertcptcp protocoltcp scantcp scanningtcp_scantelecommunicationstelnet threattelnet-brute-forcethreat actorthreat detectionthreat feedthreat intelligencethreat preventionthreat-intel-feedthreat_actor_unknowntimeouttor nodetpottpotceudp port scanudp scanudp_scanunattributed activityunattributed threat activityunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptsunauthorized-access-attemptunauthorized_access_attemptunited kingdomunited statesunited states of americaunknown threat actorusus abuseus noneverified-benignvnc protocolvoidtrapvoipvoip attackvoip systemvulnerability scanvulnerability-scanningvultrwafwaf bypass attemptswealth managementweb app attackweb application attackweb application attacksweb application exploitationweb application fingerprintingweb application scanweb application scanningweb attackweb attack attemptsweb attacksweb crawlerweb enumerationweb exploitweb exploitationweb scannerweb shell attemptweb shell uploadsweb spamweb trafficweb-application-attackweb-attackweb-serversweb_attackwetransfer abusewinwindowsxmas port scanxmas scanxss

Activity Timeline

1 total obs
Jun 11Jun 11

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
61
SIGNAL
Signal Score
61%
Confidence
37
Reports
First seenJan 20, 2021
Last seenJun 11, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.6951, -121.9000
Proxy

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning Vultr Melbourne (Australia) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 1 day ago
Appeared in 37 threat reports