IOC Radar
IPMediumSignal 62/100

65.49.20.110

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Aug 26, 2020
Last Seen
Jun 19, 2026
Aug 26
First Seen
2126d ago
Jun 19
Last Seen
4d ago
29
Reports
source reports
62%
Confidence
medium
Found in 29 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
62%
Signal Score
62 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

85 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

VPN
VPN exit node

Feed Intelligence Summary

29 reports62% confidence
29
Source reports
62%
Confidence score
Category tags
360 f.c.u.abuseaccessaccess attemptsaccess controlaccount compromiseaccount securityackactive scanactive scanningadbhoney activityadbhoney honeypotadministrative accessapiapplication layer protocolaptasiaasset discoveryattackattack attemptattack source ipattacker ipattacker-ipattacker_ipaustraliaauthenticationauthentication attacksauthentication attemptsauto-generated securityautomated attackautomated attacksautomated_attackbad reputationbad web botbanco santander colombiabarclays bank plcbeningbening scannerblacklist candidatebotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute-force attackbrute_forcebrute_force_attackbruteforcec2c2 communicationc2 servercanadacertchinaciscocisco asacisco devicecisco exploitationcisco exploitation attemptscitizens trust companycitrix exploitation attemptcitrix securitycloud environmentcloud infrastructurecloud infrastructure attackcloud servicescommand & controlcommand and controlcommand injectioncommentcommercial sexcommercial spamcommunication protocolcompromised credentialscompromised hostcompromised hostsconfigconpot honeypotcowriecowrie activitycowrie attackscowrie honeypotcowrie honeypot detectioncowrie interactionscowrie loginscowrie ssh attackcowrie ssh attackscredential accesscredential access attemptcredential attackcredential compromisecredential compromise attemptcredential harvestingcredential stuffingcredential-accessdata encryptiondata exfiltrationdata store exposuredata theftdatabase attackdatabase attacksdatabase securitydcom exploitationddosddos attackddos attacksdecoy systemdelhidenial of servicedevice managementdictionary attackdigital oceandigitalocean environmentdigitalocean ipsdigitalocean platformdiners club internationaldionaeadionaea activitydionaea attacksdionaea capturedionaea honeypotdionaea interactionsdionaea malware samplesdionaea payloadsdiscovery phasedistributed attacksdnsdns attackemailencryptionenergyenterprise networkingenterprise securityenumerationeuropeexecutable fileexploitexploit attemptsexploit probingexploit public-facing applicationexploitationexploitation activityexploitation attemptexploitation attemptsexploited hostexternal ipexternal scanningexternal threatexternal_threatfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefin scanfinlandfirst security bankfrancefraud voipftpftp attacksftp brute forceftp brute-forceftp scangermanygithubgreat western bankgroupsgurgaonhackingheralding activityhoneynet connecthoneytrap activityhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshttp attackhttp brute forcehttp probinghttp scanhttp scannerhttp scanninghttpshuntericici bank canadaicmpics securityidentity & access exploitationillegal servicesimagesimapinbound scanindiaindicatorindicators of compromiseindustrial control systemsinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinfrastructure reconnaissanceinfrastructure targetinginitial accessinitial access vectorinitial_access_attemptinjection activityinjection attacksinternet exposedinternet facing assetinternet of thingsinternet-facinginternet-wide scanintrusion detectioniocioc.ipiot botnetiot securityiot targetediot/ics attackip-addressesipv4ipv4 activityipv4 addressesipv4 port scanningipv4_addressit infrastructurejapanjpmorgan chase bankkfsensor honeypotlamplamp attacklamp exploitation attemptslamp server attacklamp stack targetedlamp stack targetinglateral movementlcialogberg trust corp.login attemptmailoney activitymailoney eventsmailoney honeypotmailoney interactionsmalicious activitymalicious activity detectedmalicious emailmalicious file transfermalicious ip listmalicious ipsmalicious ipv4malicious login attemptsmalicious scanmalicious softwaremalicious ssh activitymalicious trafficmalicious-scanmalicious_trafficmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware distributionmalware propagationmanualmass port scanmedia & entertainmentmelbourne regionmicrosoft technologiesmirai botnetmonthlymysql brute forcenetworknetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork mappingnetwork monitoringnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork scanning activitynetwork securitynetwork service discoverynetwork service scanningnetwork traffic analysisnetwork-based attack attemptsnetwork-reconnaissancenetwork_enumerationnetwork_intrusionnetwork_reconnaissancenetwork_scannetwork_scanningnetworkscanningnoidanorth americanull scanoceaniaopen port detectionoperating systemoperating system securityopportunistic attackerp0fp0f network fingerprintingp0f os fingerprintingp0f signaturespassword attackpassword attackspassword crackingpasswords: testphishingphishing attackphishing trapphpping of deathpngpolandportscanpossible malware distributionpostgresql brute forcepotential exploitpotential threatpotential threat actorpotential vulnerability exploitationpotential_compromiseprivilege escalationprocess injectionprotocol exploitationpythonransomwarerdp attacksrdp scanrdp scanningreconnaissanceremote accessremote access attackremote access attemptsremote service interactionremote servicesresearchedresource hijackingrpcsansscams & fraudscanscannerscanner ipscanner ipsscannersscanning activityscriptscripting attacksscriptssecurity eventsecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer eventssentrypeer interactionsserverserver exploitationservice discoveryservice enumerationservice probingservice scanservice-discoverysftpsftp activitysftp attacksftp attacksshadowsever_org-benignsingaporesipsip attackssip brute forcesip scanningslugsmtpsmtp attacksmtp attackssmtp brute forcesmtp probingsmtp scansmtp scanningsocial engineeringsociete generalesocradarsoftware developmentspainspamspam advertisementspam advertisement campaignsql injectionsshssh attackssh attacksssh monitoringssh scanssl vpnsurface websuricata alertsuricata alertssynsyn scansyn_scant-pott1005t1016t1018t1020t1021t1021.001t1021.002t1021.004t1021.005t1021.006t1040t1041t1046t1047t1053t1053.005t1055t1056t1059t1059.003t1059.004t1059.007t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1083t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1203t1204.002t1210t1486t1496t1499.001t1499.002t1499.003t1505.002t1550.003t1555t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1583.001t1587.001t1589t1589.002t1590t1590.001t1590.003t1590.005t1592t1595t1595.001t1595.002t1595.003t1598t1598.003tannertanner activitytanner eventstanner interactionstargeting databasetcp port scanningtcp protocoltcp scantcp-scantelecommunicationstelnet attackstelnet scantelnet threatthreatthreat actorthreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat_discoverythreat_intelligencetokyotor nodetorontotpotudp port scanudp port scanningudp scanudp-scanunattributed activityunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized login attemptsunauthorized scanningunited kingdomunited statesunited states of americaunited workers f.c.u.unknown actorunknown threat actorunsolicited communicationunsolicited contactunsolicited contentususer-agent: testusernames: testvalidatorverified-benignvnc protocolvoidtrapvoipvoip attackvpnvulnerability scanvultrvultr infrastructurevultr infrastructure targetedvultr_platform_activityweb app attackweb application attackweb application attacksweb application scanningweb attackweb exploitationweb shell detectionweb spamweb trafficwestpac banking corporationxmas scanxmas_scan

Activity Timeline

1 total obs
Jun 19Jun 19

Threat Activity Heatmap

· Peak: 2026-06-19
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
1
Minimal
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
62
SIGNAL
Signal Score
62%
Confidence
29
Reports
First seenAug 26, 2020
Last seenJun 19, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.6951, -121.9000
VPN

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning DigitalOcean London (UK) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-3D419FB3 (NET-65-49-20-64-1) 65.49.20.64 - 65.49.20.127

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 4 days ago
Appeared in 29 threat reports