IOC Radar
IPMediumSignal 61/100

65.49.1.65

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Jun 30, 2023
Last Seen
Jun 12, 2026
Jun 30
First Seen
1077d ago
Jun 12
Last Seen
today
38
Reports
source reports
61%
Confidence
medium
Found in 38 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
61%
Signal Score
61 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

96 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server

Feed Intelligence Summary

38 reports61% confidence
38
Source reports
61%
Confidence score
Category tags
abuseaccess controlaccount compromiseack scanactive scanactive scanningadbadbhoney alertsadbhoney honeypotadminandroid device attacksapacheapache attackerapplication layer protocolaptasiaatif feedattachment phishingattackattack activityattack preparatoryattack vectorsattacker-ipaustraliaauthentication attackauthentication attacksauthentication attemptsauthentication logsauto-generated securityautomated attackautomated attack attemptsautomated attacksautomated emailautomated scanningautomated threatautomated-attackautomated_attackbad reputationbad web botbankingbanlist feedbase64base64 encodingbecbeningbening scannerbinary defenseblacklist candidateblacklist ipblock listblog spambotnetbotnet activitybotnet-activitybrazilbrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebrute_force_attemptbruteforcebulk emailc2c2 communicationcanadacertchina mobilecisco asacisco attackcisco devicecisco device attackcisco exploitcisco exploit attemptcisco exploitation attemptcisco exploitation attemptscloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud-infrastructurecloud_infrastructurecms probingcode executioncode-injectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommunication protocolcommunication securitycompany limitedcompromised credentialscompromised credentials attemptcompromised hostconnect scanconpot attackconpot honeypotcowriecowrie activitycowrie attackcowrie attackscowrie honeypotcowrie interactionscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh logscredential accesscredential access attemptcredential attackcredential attackscredential brute forcecredential guessingcredential harvestingcredential phishingcredential stuffingcredential-abusecredential-attackcredential_accesscredit card servicescross-site scripting probectacurlcyberattackdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase login attemptdatabase securitydatabase-serverdcerpcdcom exploitationddosddos attackddos attacksddos probedecoy systemdenial of servicedevice managementdictionary attackdigital oceandigitalocean infrastructuredionaeadionaea activitydionaea attackdionaea attacksdionaea detectiondionaea honeypotdionaea interactionsdionaea malware collectiondionaea malware samplesdionaea payloadsdirectory traversaldistributed attacksdnsdns attackdropperelasticpot honeypotelasticsearch monitoringencryptionenterprise networkingenumerationeuropeexploitexploit attemptexploit attemptsexploit probingexploit targetingexploit_attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexternal access attemptsexternal attackexternal-threatexternal_threatfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin scanfinancefinancial servicesfinancial technologyfinlandfranceftpftp attackftp attacksftp attemptftp brute forceftp brute-forcegermanyhackingheralding attackhk abusehandlerhoneynet connecthoneytrap activityhoneytrap datahoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttp/shttpsicmpicsics securityics/scada attacksidentity & access exploitationimapinbound scanindicatorindicators of compromiseindustrial control systemsinformation disclosureinfrastructure acquisitionreconnaissanceinfrastructure scanninginfrastructure targetinginitial accessinitial_accessinjection activityinjection attacksinternet of thingsinternet-facinginternet-facing systemsinternet-wide monitoringinternet-wide scaninternet_scaninternet_wide_scanintrusion detectioniociot botnetiot securityiot targetediot/ics attackip-address-iocipv4ipv4 activityipv4 indicatorsipv4 threatsipv4-addressesipv4_activityipv4_addressipv4_indicatorsjapankfsensor honeypotlamplamp attacklamp exploitation attemptslamp server attacklamp server targetinglamp stack attacklamp stack exploitationlamp stack targetinglateral movementlcialinux systemslinux-systemlogin attacklogin attemptlogin failuremailoney activitymailoney eventsmailoney honeypotmailoney interactionsmalicious activitymalicious activity detectedmalicious file transfermalicious ipmalicious ip addressesmalicious ipsmalicious login attemptsmalicious network activitymalicious scanmalicious sip activitymalicious softwaremalicious trafficmalicious-ipmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware detectionmalware distributionmalware downloadmalware propagationmanualmicrosoft technologiesmiraimirai botnetmobilemobile securitymobile threatmodbus attacksmssqlnetworknetwork attacksnetwork device attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork layer protocolnetwork probingnetwork protocolnetwork reconnaissancenetwork scanningnetwork securitynetwork security monitoringnetwork service discoverynetwork service scanningnetwork servicesnetwork traffic analysisnetwork-based attack attemptsnetwork-devicenetwork-reconnaissancenetwork_devicenetwork_discoverynetwork_reconnaissancenetwork_scanningnetworkscanningnorth americanull scanoceaniaopen_port_discoveryowaspp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespasswordpassword attackpassword attackspassword crackingpassword theftpayment fraudpayment processingperimeter securitypgp signphishingphishing attackphishing campaignphishing trapping of deathpolandport-scanningportscanpossible botnet activitypossible malware distributionpossible mirai variantpotential credential compromisepotential malware infectionprice requestprice request scamprocess injectionprotocol exploitationproxyproxy accessproxy protocolransomwarerdprdp attacksrdp scanningreconnaissancereconnaissance activityredis honeypotredishoneypot activityremote accessremote servicesresearchedresource enumerationresource hijackingrpcrtbhs7comm attackssansscams & fraudscanscannerscanner activityscannersscanning activityscanning_activityschedule themescheduled task abusescripting attackssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer interactionsserver exploitationserver securityservice discoveryservice enumerationservice probingservice scanservice_enumerationsftp access attemptsftp access attemptssftp activitysftp attacksftp attemptshadowsever_org-benignshell accesssip attackssip brute forcesip scanningsippsmb attackssmtpsmtp attackersmtp attackssmtp brute forcesmtp probingsmtp scanningsocial engineeringsocradarsoftware exploitationspamsql injectionsql injection attemptsql injection probesql-injectionsshssh attackssh attacksssh monitoringssh scanningsuricata alertsuricata alertssynsyn scansystem accesssystem administrationt-pott1003t1003.001t1005t1016t1016.001t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1047t1053t1055t1059t1059.001t1059.003t1059.004t1059.007t1064t1068t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1192t1195t1199t1202t1203t1204.002t1210t1486t1496t1497t1497.001t1499.001t1499.002t1499.003t1505.002t1550t1550.002t1550.003t1555t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1583t1587.001t1588t1589t1590t1590.001t1590.002t1590.005t1590.006t1591t1592t1593t1594t1595t1595.001t1595.002t1595.003t1598t1598.003tannertanner activitytanner attacktanner eventstanner http honeypottanner interactionstargeting databasetariff server compromisetariff server themetariffs servertcptcp protocoltcp scantcp scanningtcp_scantelecommunicationstelnet attackstelnet threatthreat actorthreat actor: unknownthreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat-feedthreat-intelligencethreat_discoverytokyotor nodetpottpotceudp port scanudp scanudp_scanunattributed activityunattributed threat actorunauthorized accessunauthorized access attemptunauthorized loginunited kingdomunited statesunited states of americaunknown threat actorusus abuseus nonevalid accountsverified-benignvnc protocolvoidtrapvoidtrap-intelligencevoipvoip attackvulnerability scanvultrvultr infrastructurewealth managementweb app attackweb applicationweb application attackweb application attacksweb application scanningweb attackweb attacksweb exploitweb exploitationweb login attemptweb scannerweb serverweb server attacksweb service scanningweb shell detectionweb shell uploadweb spamweb trafficweb-application-attackweb-serverweb_applicationwetransfer abusewgetwinwindowsxmas scan

Activity Timeline

1 total obs
Jun 12Jun 12

Threat Activity Heatmap

Less
More
Mon
Wed
Fri
Jun
·
·
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
24h
1
Minimal
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
61
SIGNAL
Signal Score
61%
Confidence
38
Reports
First seenJun 30, 2023
Last seenJun 12, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.6951, -121.9000
Proxy

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning Vultr Tokyo (Japan) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-409C062A (NET-65-49-1-0-1) 65.49.1.0 - 65.49.1.255

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 2 years ago · Last seen today
Appeared in 38 threat reports