IOC Radar
IPMediumSignal 77/100

65.49.20.69

Location
United StatesUnited States
Pleasanton, CA
ASN
AS6939
The Shadow Server Foundation
First Seen
Aug 26, 2020
Last Seen
Jun 18, 2026
Aug 26
First Seen
2129d ago
Jun 18
Last Seen
6d ago
33
Reports
source reports
77%
Confidence
medium
Found in 33 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
77%
Signal Score
77 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

139 techniques

Network Information

CountryUSUnited States
RegionPleasanton, CA
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server

Feed Intelligence Summary

33 reports77% confidence
33
Source reports
77%
Confidence score
Category tags
a5 httpsa6 httpsabuseaccessaccess attemptsaccess controlaccount compromiseactionactive scanactive scanningadbadb attacksadb brute forceadb protocoladb-attacksadbhoney activityadbhoney attackadbhoney attacksadbhoney honeypotadbhoney interactionsadbhoney related activityadbhoneypot trafficadvertising campaignadvertising spamandroidandroid device attacksandroid devicesanomalous network connectionsapi servicesapplication layer protocolapplication reconnaissanceasiaattackattack activityattacker ipattacker-ipaustraliaauthenticationauthentication abuseauthentication attackauthentication attacksauthentication attemptauthentication attemptsauthentication brute forceauthentication bypassauthentication failureauthentication_bypassauthentication_failuresautomated attackautomated attack activityautomated attacksautomated enumerationautomated multi-vector probingautomated reconnaissance activityautomated threatautomated threat activityautomated threatsautomated-attackautomated_attackbad reputationbad web botbankingbeningbening scannerblacklist activityblacklist candidateblacklist ip activityblacklisted ipblacklisted ip activityblacklisted sourceblock listblock.txtblog spambotnetbotnet activitybotnet-activitybotnet_activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute force authenticationbrute force ftpbrute force sshbrute-forcebrute-force attackbrute-force-attackbrute_forcebrute_force_attackbruteforcebulk messagingc2c2 communicationc2 servercanadachina mobilecisco activitycisco asacisco attackcisco attackscisco devicecisco device attackcisco device attackscisco device scanningcisco device targetingcisco devices targetingcisco exploit attemptcisco exploitationcisco exploitation attemptcisco exploitation attemptscisco network devicescisco targetedcisco vulnerability exploitationcisco_device_attackcitrix exploitation attemptcitrix exploitation attemptscitrix securityclosecloud environmentcloud infrastructurecloud infrastructure attackcloud servicescloud_infrastructurecms detectioncode executioncode-injectioncolumnscommand & controlcommand and controlcommand executioncommand injectioncommand injection attemptcommon vulnerabilitiescommunication protocolcompany limitedcompromise attemptcompromised credentialscompromised credentials attemptcompromised hostcompromised host detectioncompromised hostscompromised system attemptcompromised systemsconfigconfig manipulationconfiguration manipulationconfiguration modificationconnectconnected devicesconpotconpot activityconpot attackconpot attacksconpot exploitationconpot honeypotconpot ics attackconpot ics attacksconpot ics exploitationconpot interactionscontainer securitycontent deliverycowriecowrie activitycowrie attackcowrie attackscowrie capturecowrie datacowrie detectedcowrie detectioncowrie emulationcowrie honeypotcowrie honeypot datacowrie honeypot detectioncowrie interactioncowrie interactionscowrie logscowrie ssh activitycowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh loginscowrie ssh logscredential accesscredential attackcredential attackscredential brute forcecredential brute forcingcredential brute-forcingcredential compromisecredential guessingcredential harvestingcredential stuffingcredential theftcredential-harvestingcredential-stuffingcredential_accesscredential_stuffingcredentialaccesscredit card servicescron injectioncross-site scriptingcssctacurlcvecve exploitationcve exploitation attemptdaily_sourcesdatadata encryptiondata exfiltrationdata exfiltration attemptdata harvesting attemptsdata scrapingdata store exposuredata theftdatabase access attemptdatabase activitydatabase attackdatabase attacksdatabase brute forcedatabase enumerationdatabase exploitdatabase exploit attemptsdatabase exploitationdatabase exploitation attemptsdatabase intrusion attemptdatabase login attemptdatabase probingdatabase scandatabase scanningdatabase securitydatabase serversdatabase-serverdatabase_attackdatabase_serverdcerpcddosddos attackddos attack indicatorsddos attacksddos attemptddos preparationddos probeddos probingddos reflectionddospotdecoy systemdefense evasiondelhidenial of servicedenial-of-servicedenial-of-service attemptdevice managementdhcpdhcp attackdhcp scanningdictionary attackdictionary_attackdigital oceandionaeadionaea activitydionaea attackdionaea attacksdionaea capturedionaea detecteddionaea detectiondionaea honeypotdionaea interactionsdionaea malwaredionaea malware analysisdionaea malware collectiondionaea malware detectiondionaea malware samplesdionaea payloadsdionaea signaturesdirectory bruteforcingdirectory enumerationdirectory traversaldirectory traversal attemptdistributed attacksdnp3dnsdns attackdockerdropperdropper activityelasticpot activityelasticpot attackselasticpot dataelasticpot detectedelasticpot honeypotelasticsearchelasticsearch attackelasticsearch brute forceelasticsearch monitoringelasticsearch scanningemailemailattackencryptionenterprise networkingenterprise securityenumerationenv-huntingethernet/ipeu cyber policieseuropeexecutable fileexfiltrationexploitexploit attemptexploit attemptsexploit kitexploit kit activityexploit kitsexploit probingexploit public-facing applicationexploit scanexploit targetingexploit-attemptsexploit: web applicationexploit_attemptexploit_attemptsexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of privilegeexploitation of vulnerabilitiesexploitation of vulnerabilityexploitation_attemptexploited hostexternal access attemptsexternal threatexternal_threatextortionfail2ban triggeredfailed authenticationfailed loginfailed login attemptsfattfatt analysisfatt detectionsfatt signaturesfilefinancefinancial servicesfinancial technologyfingerprintingfinlandfrancefraudfraud voipfraudulent activityftpftp attackftp attacksftp brute forceftp brute-forceftp scanftp_bruteforcegalahgeckogermanygithubgluttongopotgroupshackinghellohellpotheralding activityheralding probesheralding protocol abuseheralding scan activityherolding attackshk abusehandlerhoneylabshoneynet connecthoneypot attackhoneypot datahoneytrap activityhoneytrap attackhoneytrap datahoneytrap detectionhoneytrap eventshoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshong konghttphttp attackhttp brute forcehttp exploitationhttp exploitation attemptshttp probehttp probinghttp request anomalieshttp scannerhttp scanninghttp/shttpshttps probehttps probinghttps scanninghurricane usicmpicsics attackics securityics-scada-attacksics/scadaics/scada attackics/scada attacksics/scada systemsidentity & access exploitationillegal service advertisingimapimap attackimap brute forceimap scanninginbound scanindiaindia phone numbersindia spamindicatorindicators of compromiseindustrial control systemsindustrial iotinfoinformation gatheringinfrastructure acquisitionreconnaissanceinfrastructure attackinitial accessinitial access attemptsinitial-accessinitial-access-attemptsinitial_accessinitial_access_attemptinjection activityinjection attacksinput validationinput validation bypassintel macinternet background noiseinternet facinginternet facing serviceinternet facing systemsinternet of thingsinternet-facinginternet-facing assetsinternet-facing serviceinternet-facing systemsinternet-scanninginternet-wide scaninternet_probeinternet_scanintrusion detectioniocioc.ipiocsiot analyticsiot applicationsiot attackiot attacksiot botnetiot device attackiot device targetingiot devicesiot exploit attemptsiot exploitationiot platformsiot securityiot targetediot/ics attackiot_attackip-addressip-address-iocippipp honeyipphoney activityipphoney honeypotipv4ipv4 addressesipv4 attacksipv4 threatsipv4-scanningipv4_activityipv4_addressjapankfsensor honeypotkhtmlkibanakill-chain exploitationkill-chain reconnaissancelajpat nagarlamplamp activitylamp attacklamp attackslamp exploitlamp exploit attemptlamp exploit attemptslamp exploitationlamp exploitation attemptlamp exploitation attemptslamp server attacklamp server targetinglamp stacklamp stack attacklamp stack attackslamp stack exploitationlamp stack targetedlamp stack targetinglamp vulnerability scanlamp vulnerability scanninglamp_stack_attacklateral movementlateral movement attemptlateral movement techniqueslateral_movementlcialcia honeynetldapldap attackldap brute forceldap scanninglfilinuxlinux malwarelinux serverslinux systemlinux system targetinglinux systemslinux x8664linux-server-attacklinux-systemlinux_server_attacksload balancerlog4potloginlogin attacklogin attemptlogin attemptslogin brute forcelogin failurelondonlow-riskmail service attackmailoney activitymailoney attackmailoney capturemailoney detectionmailoney email attacksmailoney email spoofingmailoney eventsmailoney honeypotmailoney interactionsmailoney trafficmalaysiamalicious activitymalicious activity detectedmalicious campaignmalicious code detectionmalicious communicationmalicious emailmalicious email activitymalicious email detectionmalicious emailsmalicious file transfermalicious file uploadsmalicious ip activitymalicious ip detectedmalicious ipsmalicious login attemptsmalicious network activitymalicious payloadmalicious payload attemptmalicious payload attemptsmalicious payload deliverymalicious payload detectionmalicious payload distributionmalicious python scriptsmalicious sftp activitymalicious sip activitymalicious softwaremalicious sshmalicious ssh activitymalicious trafficmalicious-activitymalicious-login-attemptsmalicious_activitymalicious_ipmalicious_trafficmalwaremalware activitymalware analysismalware behaviourmalware capturemalware deliverymalware delivery attemptmalware deploymentmalware deployment attemptsmalware detectionmalware distributionmalware distribution attemptmalware downloadmalware download attemptmalware download attemptsmalware droppermalware hostingmalware infectionmalware installationmalware landingmalware probingmalware propagationmalware propagation attemptsmalware_activitymalware_detectionmanualmass-scanningmass_scanning_campaignmedpotmelbourne regionmemcache attackmemcache brute forcememcache scanningmemcached scanningmirai botnetmobilemobile securitymobile threatmodbusmodbus attacksmodule loadingmonthlymssqlmssql attackmssql brute forcemssql scanningmysql brute forcenetworknetwork accessnetwork activitynetwork attacksnetwork devicenetwork device attacknetwork device attacksnetwork devicesnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork monitoringnetwork port scanningnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service attacknetwork service discoverynetwork service scanningnetwork servicesnetwork trafficnetwork traffic analysisnetwork-attacknetwork-based attack attemptsnetwork-devicenetwork-devicesnetwork-reconnaissancenetwork_devicenetwork_discoverynetwork_intrusionnetwork_reconnaissancenetwork_scannetwork_scanningnetwork_service_exploitationnetworkscanningnginxnorth americantpntp attackntp scanningnull scanoceaniaopen proxyopen_port_discoveryopenctiopportunistic attackopportunistic attacksoracleoracle attackoracle brute forceoracle databaseoracle scanningos credential dumpingos fingerprintingos xosintowaspp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword crackingpassword sprayingpassword-guessingpassword_guessingpath traversalpayment processingperimeter securitypgp signphishingphishing attackphishing trapphone number spamphone spamphp exploitphp injection attemptspingpolandport-scanport-scanningportscanpossible botnet activitypossible credential reusepossible credential stuffingpossible exploit attemptpossible malicious activitypossible malware activitypossible malware deliverypossible malware deploymentpossible malware distributionpossible malware infectionpossible malware propagationpossible mirai variantpossible reconnaissancepostgres brute forcepostgres scanningpostgresql attackpostgresql brute forcepotential botnetpotential botnet activitypotential compromisepotential credential compromisepotential exploitpotential exploit activitypotential exploit attemptspotential intrusionpotential malicious activitypotential malware activitypotential malware deliverypotential malware distributionpotential malware downloadpotential malware hostingpotential malware infectionpotential malware uploadpotential reconnaissancepotential vulnerability exploitationpotential vulnerability probingpre-attackprivilege escalationprocess injectionprotocol exploitationprotocol-abuseproxyproxy accesspublicly accessible infrastructurepythonqhoneypot activityqhoneypot interactionransomwareransomware activityrcerdprdp attacksrdp scanningreconnaissancereconnaissance activityredisredis brute forceredis exploit attemptredis exploitationredis exploitation attemptredis exploitation attemptsredis honeypotredis honeypot activityredis honeypot attackredis honeypot attacksredis scanningredishoneypotredishoneypot activityregional securityremote accessremote access abuseremote access attackremote access attacksremote access attemptremote access attemptsremote access serviceremote code executionremote file inclusionremote loginremote service exploitationremote servicesremote services exploitationremote_accessremote_access_serviceremote_servicereplication attackresearchresearchedresource hijackingrfiroles7comm attackssansscada exploitation attemptsscamscams & fraudscanscannerscanner activityscanner detectionscannersscanningscanning activityscriptscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer attacksentrypeer attackssentrypeer botnetsentrypeer detectionsentrypeer eventssentrypeer exploitsentrypeer interactionssentrypeer intrusion attemptssentrypeer p2p attacksentrypeer sip attacksserverserver exploitationserver securityservice enumerationservice exploitationservice probingservice scanservice scanningservice_enumerationsex industrysex services advertisementsex worksftpsftp access attemptsftp access attemptssftp activitysftp attacksftp attackssftp attemptsftp attemptssftp exploitationsftp exploitation attemptsftp exploitation attemptssftp intrusion attemptsftp probingsftp protocolsftp protocol abusesftp scanningsftp traffic analysissftp-attacksftp-attackssftp_attackshadowsever_org-benignshellshell accessshell access attemptshell access attemptssipsip activitysip attackssip brute forcesip enumerationsip probingsip protocolsip scansip scanningsip vulnerability scansip vulnerability scanningsip-attackssip_attacksippslaveofslugsmart devicessmb attackssmb brute forcesmb exploitationsmb probingsmb scanningsmssms spamsms spam campaignsmtpsmtp attacksmtp attackssmtp brute forcesmtp probesmtp probingsmtp scansmtp scanningsmtp traffic analysissmtp_attacksnaresocial engineeringsocks5socks5 proxy attemptsocks5 proxy usagesocks5 proxy usesocks5 scanningsoftware exploitationspamspam advertisementspam campaignsql injectionsql injection attemptsql injection attemptssql-injectionsshssh activityssh attackssh attacksssh brute-forcessh key injectionssh monitoringssh protocolssh scanssh scanningssh-attacksssh-brutessh-brute-forcessh_bruteforcessrfsurface websuricata alertsuricata alertssynsyn scansyn_scansystem discoverysystem disruptionsystem reconnaissancet-pott-pot derived intelligencet1003t1005t1016t1016.001t1016.002t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1021.007t1027t1040t1041t1046t1047t1048t1048.003t1053t1053.005t1055t1056t1059t1059.001t1059.003t1059.004t1059.005t1059.007t1059.008t1064t1065t1068t1071t1071.001t1071.004t1076t1077t1078t1078.001t1078.002t1078.003t1078.004t1082t1083t1087t1087.001t1087.002t1105t1110t1110.001t1110.002t1110.003t1110.004t1132t1133t1136.001t1187t1189t1190t1192t1195t1199t1203t1204t1204.002t1210t1486t1490t1495.001t1496t1497t1497.001t1498t1499.001t1499.002t1499.003t1505t1505.002t1505.003t1505.004t1547t1550t1550.002t1550.003t1555t1555.003t1562t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1567.001t1569t1571t1572t1573t1573.001t1574.001t1583t1583.001t1583.006t1583.007t1584t1584.004t1587.001t1588t1588.001t1588.002t1588.003t1588.004t1588.006t1589t1589.002t1590t1590.001t1590.004t1590.005t1590.006t1591t1592t1592.001t1592.002t1592.003t1592.004t1595t1595.001t1595.002t1595.003t1598t1598.003t1598.004t1608tannertanner activitytanner attacktanner attackstanner detectedtanner eventstanner exploit kittanner honeypot activitytanner http honeypottanner interactionstanner web attacktargeting databasetcptcp protocoltcp scantcp scanningtcp_scantelecommunicationstelephone harassmenttelnettelnet attackstelnet attemptstelnet threattelnet-brute-forcethreat actorthreat actor activitythreat detectionthreat feedthreat intelligencethreat intelligence feedthreat preventionthreat_discoverytimeouttop10.txttopips.txttor nodetpottpotcetsecttpsubuntuudp port scanudp scanudp_scanunattributed threat actorunauthenticated access attemptunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized login attemptsunauthorized network accessunauthorized probingunauthorized-access-attemptunauthorized_accessunauthorized_access_attemptunidentified attackerunidentified threat actorunited kingdomunited statesunited states of americaunknown threat actorunsolicited communicationunsolicited contactunsolicited emailunsolicited messagingunusual network trafficusus abuseus ip addressus noneus source ipuser enumerationvalid accountsverified-benignvnc protocolvnc scanningvoidtrapvoipvoip attackvoip systemvoip systemsvulnerabilityvulnerability scanvulnerability-scanvulnerability-scanningvultrvultr infrastructurevultr infrastructure targetedwafwaf bypass attemptsweak credentialswealth managementweb apisweb app attackweb application attackweb application attacksweb application exploitationweb application fingerprintingweb application probingweb application scanweb application scanningweb applicationsweb attackweb attacksweb crawlerweb crawling detectionweb developmentweb enumerationweb exploitweb exploit attemptweb exploit attemptsweb exploitationweb exploitsweb hostingweb infrastructureweb login attemptweb scannerweb serverweb server attacksweb serversweb service scanningweb servicesweb shellweb shell attemptweb shell detectionweb shell uploadweb shell uploadsweb spamweb technologiesweb trafficweb-application-attackweb-attackweb-serverweb-serversweb_applicationweb_attackweb_serverwgetwindows malwarewindows ntwindows systemwindows system targetingwordpotxmas scanxmas_scanxss

Activity Timeline

1 total obs
Jun 18Jun 18

Threat Activity Heatmap

· Peak: 2026-06-18
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreHigh Risk
77
SIGNAL
Signal Score
77%
Confidence
33
Reports
First seenAug 26, 2020
Last seenJun 18, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, CA
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.7506, -122.4121
Proxy

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning Vultr Paris (France) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-3D419FB3 (NET-65-49-20-64-1) 65.49.20.64 - 65.49.20.127
references
https://github.com/telekom-security/tpotce, https://feeds.dshield.org/feeds/topips.txt, https://feeds.dshield.org/feeds/top10.txt, https://feeds.dshield.org/feeds/block.txt

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 6 days ago
Appeared in 33 threat reports