IOC Radar
IPMediumSignal 66/100

65.49.1.61

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Jun 30, 2023
Last Seen
Jun 12, 2026
Jun 30
First Seen
1077d ago
Jun 12
Last Seen
today
38
Reports
source reports
66%
Confidence
medium
Found in 38 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
66%
Signal Score
66 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

81 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server

Feed Intelligence Summary

38 reports66% confidence
38
Source reports
66%
Confidence score
Category tags
abuseaccessaccess controlaccount compromiseaccount securityackactive scanactive scanningadbadb attacksadbhoney activityadbhoney attacksadbhoney exploitsadbhoney honeypotadministrative accessandroidandroid_attackapacheapache attackerapplication layer protocolapplication reconnaissanceaptasiaattackattack source ipattack surface discoveryattacker-ipaustraliaauthentication abuseauthentication attemptsauto-generated securityautomated attackautomated attack attemptsautomated attacksautomated threatautomated-attackbad reputationbad web botbankingbeningbening scannerblocklist_allblog spambotnetbotnet activitybotnet_activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebruteforcec2canadacertchinaciscocisco devicecisco device targetingcisco exploitation attemptcisco exploitation attemptscisco logscitrix attack attemptcitrix securitycloud environmentcloud infrastructurecloud infrastructure attackcloud servicescms detectioncode executioncode injectioncommand & controlcommand and controlcommand executioncommand injectioncommunication protocolcompromised credentialscompromised credentials attemptcompromised hostcompromised system attemptconnected devicesconpotconpot activityconpot attacksconpot honeypotconpot ics attackcowriecowrie activitycowrie attackcowrie attackscowrie honeypotcowrie interactioncowrie interactionscowrie logscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh logscrawlercredential accesscredential attackcredential attackscredential brute-forcingcredential compromisecredential guessingcredential harvestingcredential stuffingcredential-accesscredential-stuffingcredential_stuffingcredit card servicesdata encryptiondata exfiltrationdata exfiltration attemptdata store exposuredatabase attackdatabase attacksdatabase brute forcedatabase probingdatabase securitydatabase serversdatabase_attackddosddos attackddos attacksddos attemptdecoy systemdenial of servicedevice managementdictionary attackdigital oceandigitalocean environmentdigitalocean ipsdionaeadionaea activitydionaea attackdionaea attacksdionaea honeypotdionaea interactionsdionaea logsdionaea malware collectiondionaea malware detectiondionaea malware samplesdionaea payloadsdirectory bruteforcingdirectory traversaldistributed attacksdnsdns attackdropperelasticpot honeypotelasticsearch monitoringemailencryptionenterprise networkingenterprise securityenumerationeuropeexploitexploit attemptexploit attemptsexploit kit activityexploit probingexploit public-facing applicationexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploitation_attemptexploited hostexternal access attemptsexternal scanningexternal threatfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin port scanfin scanfinancefinance and insurancefinancial servicesfinancial technologyfinlandfrancefraud voipftpftp attacksftp attemptftp brute forceftp brute-forcegermanygithubgroupshackingheralding activityheralding attackhoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp brute forcehttp probinghttp scannerhttp scanninghttp/shttpshydraics securityidentity & access exploitationimapimap brute forceinbound scanindicatorindicators of compromiseindustrial control systemsindustrial iotinfrastructure acquisitionreconnaissanceinfrastructure scanninginitial accessinitial access vectorinitial_accessinjection activityinjection attacksinternet of thingsinternet scaninternet-facinginternet-facing serviceinternet-scanninginternet-wide monitoringinternet-wide observationinternet-wide scaninternet_scanintrusion attemptintrusion detectioniociocsiot analyticsiot applicationsiot botnetiot device attacksiot platformsiot securityiot targetediot/ics attackip-addressesipphoney honeypotipv4ipv4 addressesipv4-scanningjapankfsensor honeypotlamplamp attacklamp attack attemptlamp exploitation attemptslamp server attacklamp server targetinglamp stack attacklamp stack targetinglamp vulnerability scanlateral movementlateral movement attemptlateral movement techniqueslcialfilinux system exploitationlinux systemslinux-server-attacklinux_server_attackslogin attemptlogin attemptslogin_attemptlondonmail protocol abusemailoney activitymailoney email spoofingmailoney eventsmailoney honeypotmailoney interactionsmailoney logsmalicious activitymalicious activity detectedmalicious emailmalicious file transfermalicious infrastructuremalicious ipmalicious ip activitymalicious ipsmalicious login attemptsmalicious network activitymalicious payloadmalicious softwaremalicious ssh activitymalicious trafficmalicious-login-attemptsmalicious-scanmalwaremalware attemptmalware behaviourmalware capturemalware deliverymalware delivery attemptmalware detectionmalware distributionmalware distribution attemptmalware propagationmalware_activitymanualmass scanningmass-scanningmasscanmiraimirai botnetmobile threatnetworknetwork activitynetwork attacksnetwork device compromisenetwork device probingnetwork devicesnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork layer protocolnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork servicesnetwork-reconnaissancenetwork_activitynetwork_device_attacknetwork_reconnaissancenetwork_scanningnmapnorth americanull port scannull scanoceaniaopen port detectionopen proxyopen_port_discoveryoperating systemoperating system securityopportunistic attackopportunistic attackeros command injectionowaspp0fp0f network fingerprintingp0f os fingerprintingp0f signaturesparispassword attackpassword attackspassword crackingpayment processingperimeter securityphishingphishing attackphishing trapping of deathpolandport-scanningportscanpossible botnet activitypossible exploit attemptpossible malware distributionpossible malware infectionpossible malware propagationpossible mirai variantpotential exploit attemptspotential intrusionpotential malicious activitypotential malware deliverypotential malware deploymentpotential malware distributionpotential malware infectionpotential vulnerability exploitationpotential vulnerability scanpre-attackprivilege escalationprobingprocess injectionprotocol exploitationprotocol-abuseproxypublic cloud targetingpythonransomwarereconnaissanceredis exploitationredis honeypotredishoneypotredishoneypot activityremote accessremote servicesresearchedresource hijackingrfirtbhsansscams & fraudscanscannerscanner ipsscannersscanningscanning activityscriptscripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionssentrypeer logssentrypeer p2p attacksentrypeer sip attacksserver exploitationserver securityservice discoveryservice enumerationservice probingservice scanservice-discoveryservice_enumerationsftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp scanningsftp-attackshadowsever_org-benignsingaporesipsip attackssip brute forcesip scansip scanningsip vulnerability scanskypeslugsmart devicessmb attackssmb scanningsmtpsmtp attackersmtp attackssmtp brute forcesmtp probingsmtp scanningsocial engineeringsocradarsocradar honeypotspamsql injectionsshssh attackssh attacksssh monitoringssh-brute-forcessrfsurface websuricata alertsuricata alertssynsyn port scansyn scansyn_scansystem accesst-pott1005t1016t1018t1021t1021.001t1021.002t1021.004t1021.006t1040t1041t1046t1047t1053t1055t1056.001t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.004t1083t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204t1204.002t1210t1486t1495.001t1496t1499.001t1499.002t1499.003t1505.002t1505.004t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1583t1587.001t1588t1589t1590t1590.001t1590.003t1590.004t1590.006t1592t1595t1595.001t1595.002t1595.003tannertanner activitytanner attacktanner attackstanner eventstanner http honeypottanner interactionstanner logstanner web attacktargeting databasetcptcp protocoltcp scantcp scanningtcp-scantcp_scantelecommunicationstelnet attackstelnet threattelnet-brute-forcethreat actorthreat detectionthreat intelligencethreat intelligence feedthreat preventiontokyotor nodetorontotpottpotceudp port scanudp scanudp-scanudp_scanunattributed threat actorunauthorized accessunauthorized access attemptunauthorized activityunauthorized scanningunauthorized-access-attemptunited kingdomunited statesunited states of americaunknown threat actorusvalid accountsverified-benignvoidtrapvoipvoip attackvoip attacksvoip systemsvoip_attackvulnerability scanvulnerability-scanningvultrvultr infrastructurevultr pariswealth managementweb app attackweb application attackweb application attacksweb application fingerprintingweb application probingweb application scanweb application scanningweb attackweb attacksweb crawlerweb exploitweb exploitationweb exploitsweb scannerweb server attacksweb serversweb service scanningweb shell attemptweb shell detectionweb spamweb trafficweb-application-attackweb_attackwebscanwebscannerxmas port scanxmas scanxmas_scanxss

Activity Timeline

1 total obs
Jun 12Jun 12

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
1
Minimal
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
66
SIGNAL
Signal Score
66%
Confidence
38
Reports
First seenJun 30, 2023
Last seenJun 12, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.7510, -97.8220
Proxy

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning Vultr Paris (France) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255
references
https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-05/, https://jamesbrine.com.au, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-05/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-05/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-04/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-05-03/, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-03/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-01/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-05-01/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-30/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-31/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-29/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-29/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-30/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-30/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-27/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-27/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-28/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-04-26/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-27/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-03-26/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-26/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-25/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-24/, https://github.com/telekom-security/tpotce, https://jamesbrine.com.au/digitaloceantoronto-portscan-bruteforce-ip-list-2026-04-23/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-23/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-04-23/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-03-24/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-04-22/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-23/, https://jamesbrine.com.au/vultrparis-portscan-bruteforce-ip-list-2026-03-22/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-22/, https://jamesbrine.com.au/vultrtokyo-portscan-bruteforce-ip-list-2026-03-22/, https://jamesbrine.com.au/digitaloceansingapore-portscan-bruteforce-ip-list-2026-03-22/, https://jamesbrine.com.au/vultrmelbournetest-portscan-bruteforce-ip-list-2026-03-19/, https://jamesbrine.com.au/digitaloceanlondon-portscan-bruteforce-ip-list-2026-04-17/

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen today
Appeared in 38 threat reports