IPMediumSignal 60/100
65.49.1.56
Location
United StatesPleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Jan 20, 2021
Last Seen
Jun 12, 2026
Found in 37 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
60%
Signal Score
60 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK
MITRE ATT&CK TTPs
Network Information
CountryUnited States
United StatesRegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation
IP Category
⟲
Proxy
Proxy server
Feed Intelligence Summary
37 reports60% confidence
37
Source reports
60%
Confidence score
Category tags
abuseaccessaccess controlaccount compromiseaccount securityack scanactive scanactive scanningadbhoney activityadbhoney alertsadbhoney attackadbhoney exploitsadbhoney honeypotadbhoney interactionsadministrative accessandroid device attacksapacheapache attackeraptasiaattackattack attemptattack source ipattacker-ipaustraliaauthentication abuseauthentication attacksauthentication attemptsauthentication brute forceauthentication failureauto-generated securityautomated attacksautomated-attackbad reputationbad web botbankingbeningbening scannerblacklist ipblock listblog spambotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute force ftpbrute force sshbrute-forcebrute-force attackbrute_forcebruteforcec2canadacertchinachina mobilecisco asacisco asa targetedcisco attackcisco devicecisco device targetingcisco exploitation attemptcisco exploitation attemptscitrix exploitation attemptcitrix securitycloud infrastructurecloud infrastructure attackcloud servicescolumnscommand & controlcommand and controlcommand injectioncommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised hostconnect scanconpot activityconpot honeypotconpot ics attacksconpot ics exploitationconpot interactionscowriecowrie activitycowrie attackcowrie attackscowrie honeypotcowrie interactioncowrie interactionscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh loginscowrie ssh logscredential accesscredential attackcredential brute-forcingcredential compromise attemptcredential guessingcredential harvestingcredential stuffingcredential-stuffingcredential_accesscredential_attackcredit card servicescvedata encryptiondata exfiltrationdata harvestingdata store exposuredatabase attackdatabase attacksdatabase probingdatabase securityddosddos attackddos attacksdecoy systemdenial of servicedevice managementdictionary_attackdigital oceandionaeadionaea activitydionaea attackdionaea attacksdionaea detectiondionaea honeypotdionaea interactionsdionaea malware analysisdionaea malware collectiondionaea malware samplesdionaea payloadsdirectory traversaldistributed attacksdnsdns attackelasticpot attackselasticpot honeypotelasticsearch monitoringemailencryptionenterprise networkingenterprise securityenumerationeuropeexploitexploit attemptexploit attemptsexploit kitsexploit public-facing applicationexploit_attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploited hostexternal threatexternal_threatfail2ban triggeredfailed login attemptsfattfatt detectionsfatt signaturesfilefinfin port scanfin scanfinancefinancial servicesfinancial technologyfinlandfrancefraud voipftpftp attacksftp brute forceftp brute-forceftp scanninggermanygithubgroupshackingheralding activityheralding probeshk abusehandlerhoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp brute forcehttp probinghttp scannerhttp scanninghttpsicsics securityics/scada attacksidentity & access exploitationimapinbound scanindicators of compromiseindustrial control systemsinfrastructure acquisitionreconnaissanceinitial accessinitial_accessinjection activityinjection attacksinput validationinternet facing assetinternet facing systemsinternet of thingsinternet-facinginternet-wide scaninternet_scanintrusion detectioniocioc.ipiocsiot botnetiot exploit attemptsiot securityiot targetediot/ics attackip-addressesipphoney honeypotipv4ipv4 activityipv4 addressesipv4_addressjapankfsensor honeypotknown malicious iplamplamp attacklamp exploitlamp exploitation attemptslamp server attacklamp server targetinglamp stack attacklamp stack exploitationlamp stack targetinglateral movementlateral movement techniqueslcialinux-server-attackload balancerlogin attemptlondonmailoney activitymailoney attackmailoney eventsmailoney honeypotmailoney interactionsmailoney trafficmalicious activitymalicious activity detectedmalicious email activitymalicious file transfermalicious ipmalicious ip detectedmalicious ip listmalicious login attemptsmalicious payloadmalicious payload attemptmalicious payload distributionmalicious scanmalicious sip activitymalicious softwaremalicious ssh activitymalicious trafficmalicious-login-attemptsmalwaremalware behaviourmalware capturemalware deliverymalware distributionmalware distribution attemptmalware hostingmalware landingmalware propagationmalware scanningmanualmass scanningmiraimirai botnetmobile threatmodbus attacksmssqlmultiple port scanmysql brute forcenetworknetwork activitynetwork attacksnetwork device attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork mappingnetwork port scanningnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork service scanningnetwork traffic analysisnetwork-based attack attemptsnetwork_devicenetwork_enumerationnetwork_probingnetwork_reconnaissancenetwork_scanningnorth americanull port scannull scanoceaniaopen port detectionopen proxyopen_port_discoveryoperating systemoperating system securityopportunistic attackerp0fp0f network fingerprintingp0f os fingerprintingp0f signaturespassword attackpassword attackspassword crackingpassword_attackpayment processingpgp signphishingphishing attackphishing trapping of deathpolandport-scanningportscanpossible credential stuffingpossible exploit attemptpossible malware distributionpossible malware dropperpossible mirai variantpotential botnet activitypotential credential compromisepotential exploit attemptspotential intrusionpotential lateral movementpotential malicious activitypotential malware distributionprivilege escalationprocess injectionprotocol exploitationprotocol-abuseproxyproxy protocolpythonransomwarerdp attacksreconnaissancereconnaissance activityredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityremote accessremote service exploitationremote servicesresearchedresource hijackingrtbhs7comm attackssansscams & fraudscanscannerscannersscanning activityscriptscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attackssentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionsserver exploitationservice discoveryservice enumerationservice probingservice scanservice_enumerationsftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp intrusion attemptsftp probingsftp scanningsftp traffic analysissftp-attackshadowsever_org-benignsingaporesipsip attackssip brute forcesip enumerationsip scansip scanningsip vulnerability scanningslugsmb attackssmtpsmtp attackssmtp brute forcesmtp probesmtp probingsmtp scanningsmtp traffic analysissocial engineeringsocradarspamsql injectionsql injection attemptssshssh attackssh attacksssh monitoringssh-brute-forcestealth scansurface websuricata alertsuricata alertssynsyn port scansyn scansystem accesst-pott1005t1016t1018t1021t1021.001t1021.002t1021.004t1021.006t1021.007t1040t1041t1046t1053.005t1055t1059t1059.001t1059.003t1059.004t1059.007t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1088t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204t1204.002t1210t1486t1496t1497t1499.001t1499.002t1499.003t1505.002t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1583t1587.001t1588t1589t1590t1590.001t1590.003t1590.005t1592t1595t1595.001t1595.002t1595.003t1608tannertanner activitytanner attacktanner eventstanner exploit kittanner honeypot activitytanner interactionstargeting databasetcptcp protocoltcp scantcp_scantelecommunicationstelnet attackstelnet threattelnet-brute-forcethreat actorthreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat_intelligencetor nodetpottpotceudp port scanudp scanudp_scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized-access-attemptunidentified attackerunited kingdomunited statesunknown threat actorusus abuseus noneus source ipvalid accountsverified-benignvnc protocolvoipvoip attackvulnerability scanvultrvultr infrastructurewafwealth managementweb app attackweb application attackweb application attacksweb application scanweb application scanningweb attackweb exploitweb exploitationweb scannerweb server attacksweb shell detectionweb spamweb trafficweb-application-attackweb_applicationxmasxmas port scanxmas scanxss
Activity Timeline
Jun 12Jun 12
Threat Activity Heatmap
LessMore
Mon
Wed
Fri
24h
1
Minimal
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
60
SIGNAL
Signal Score
60%
Confidence
37
Reports
First seenJan 20, 2021
Last seenJun 12, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.6951, -121.9000
Proxy
VirusTotal
Not checked
WHOIS
- description
- IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
- raw
- Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255
Export & API
STIX 2.1 Bundle
CSV Export
Permalink
IOC Journey
mediumFirst detected 5 years ago · Last seen today
Appeared in 37 threat reports