IOC Radar
IPMediumSignal 63/100

65.49.20.75

Location
United StatesUnited States
Pleasanton, California
ASN
AS6939
The Shadow Server Foundation
First Seen
Aug 26, 2020
Last Seen
Jun 19, 2026
Aug 26
First Seen
2131d ago
Jun 19
Last Seen
8d ago
31
Reports
source reports
63%
Confidence
medium
Found in 31 reports. Confidence: medium. · Confidence scores are heuristic. Verify before acting on results.
IPv4 Address
Network layer indicator observed in threat reports.
MISP Category
Network Activity
Confidence
63%
Signal Score
63 / 100
IDS Rule
No
Threat Context
Tags
MITRE ATT&CK

MITRE ATT&CK TTPs

90 techniques

Network Information

CountryUSUnited States
RegionPleasanton, California
ASNAS6939
OrganizationThe Shadow Server Foundation

IP Category

Proxy
Proxy server
VPN
VPN exit node

Feed Intelligence Summary

31 reports63% confidence
31
Source reports
63%
Confidence score
Category tags
abuseaccess controlaccount compromiseaccount securityactive scanactive scanningadbhoney honeypotadministrative accessapplication layer protocolaptasiaattackattacker ipattacker-ipaustraliaauthenticationauthentication abuseauthentication attemptsautomated attackautomated attacksautomated-attackbad reputationbad web botbeningbening scannerblacklist ipbotnetbotnet activitybrute forcebrute force attackbrute force attackerbrute force attacksbrute force attemptbrute force attemptsbrute-forcebrute_forcebruteforcec&cc2c2 communicationcanadacertcisco asacisco devicecisco exploitationcisco exploitation attemptcisco exploitation attemptscivil servicescloud environmentcloud infrastructurecloud infrastructure attackcloud servicescode executioncode injectioncode-injectioncommand & controlcommand and controlcommand executioncommand injectioncommunication protocolcompromised credentialscompromised hostconpot honeypotcontainer securitycowriecowrie honeypotcowrie honeypot detectioncowrie interactionscowrie ssh attackcowrie ssh attackscowrie ssh honeypotcowrie ssh logscredential accesscredential access attemptcredential attackcredential brute-forcecredential compromise attemptcredential guessingcredential harvestingcredential stuffingcredential-bruteforcingctacurlcyberattackdata encryptiondata exfiltrationdata store exposuredatabase attackdatabase attacksdatabase login attemptdatabase securitydcerpcddosddos attackddos attacksddos probeddospotdecoy systemdefault credential abusedenial of servicedevice managementdigital oceandigitalocean ipdionaeadionaea activitydionaea honeypotdionaea interactionsdionaea malware samplesdistributed attacksdnsdns attackdockerelasticpot honeypotelasticsearchelasticsearch monitoringencryptionenterprise networkingenumerationeuropeexfiltrationexploitexploit attemptexploit attemptsexploit probingexploit public-facing applicationexploit targetingexploitationexploitation activityexploitation attemptexploitation attemptsexploitation of vulnerabilityexploited hostexposed servicesexternal scanningexternal threatexternal_threatextortionfailed authenticationfailed login attemptsfattfatt analysisfatt signaturesfilefinlandfranceftpftp attackftp attacksftp brute forceftp scanninggalahgermanygluttongopotgovernment technologyhackinghellpothoneylabshoneynet connecthoneytrap activityhoneytrap datahoneytrap exploit attemptshoneytrap honeypothoneytrap interactionshttp attackhttp brute forcehttp probinghttp scannerhttp scanninghttp/shttpshydraicmpics securityidentity & access exploitationimapinbound scanindicatorindicators of compromiseindustrial control systemsinformation gatheringinformation technologyinfrastructure acquisitionreconnaissanceinfrastructure reconnaissanceinfrastructure scanninginitial accessinitial-accessinitial_access_attemptinjection activityinjection attacksinternet of thingsinternet-facinginternet-facing assetsinternet-wide scaninternet_scannersintrusion attemptintrusion detectioniociot botnetiot device exploitationiot securityiot targetediot/ics attackip-addressesipphoney honeypotipv4ipv4 addressipv4 port scanningipv4 scanningipv4 trafficit infrastructurejapankfsensor honeypotkibanalamplamp server attacklamp server targetinglamp stack attacklamp stack targetedlamp stack targetinglateral movementlateral movement techniqueslinux serverlog4potlogin attemptmailoney activitymailoney honeypotmailoney interactionsmalicious activitymalicious activity detectedmalicious file transfermalicious ip addressesmalicious ip listmalicious ipsmalicious network activitymalicious scanmalicious softwaremalicious trafficmalicious-ipmalicious_trafficmalwaremalware analysismalware behaviourmalware capturemalware deliverymalware detectionmalware distributionmalware downloadmalware propagationmalware scanningmanualmasscanmedpotmirai botnetmodbusmssqlmysql brute forcenetworknetwork activitynetwork attacksnetwork discoverynetwork enumerationnetwork infrastructurenetwork intrusionnetwork intrusion attemptnetwork intrusion attemptsnetwork intrusion detectionnetwork monitoringnetwork probenetwork probingnetwork protocolnetwork reconnaissancenetwork scannetwork scanningnetwork securitynetwork service scanningnetwork traffic analysisnetwork-reconnaissancenetwork-servicenetwork_intrusionnetwork_scannetwork_scanningnmapnorth americaoceaniaoperating systemoperating system securityopportunistic-attackos credential dumpingp0fp0f network fingerprintingp0f os fingerprintingp0f passive fingerprintingp0f signaturespassword attackpassword attackspassword crackingpassword sprayingphishingphishing attackphishing trapping of deathpolandport-scanningportscanpossible mirai variantpossible reconnaissancepotential exploitpotential exploit attemptspotential intrusionpotential malware deploymentpotential reconnaissancepotential vulnerability exploitationprivilege escalationprocess injectionprotocol exploitationproxyproxy accessproxy protocolpublic administrationpublic infrastructurepublic policyransomwarereconnaissancereconnaissance activityredis honeypotregulatory agenciesremote accessremote servicesresearchedresource hijackingsansscanscannerscanner ipscannersscanningscanning activityscripting attackssecurity operationssecurity policysensor-taggedsentrypeer activitysentrypeer botnetsentrypeer detectionsentrypeer interactionsserver exploitationservice discoveryservice enumerationservice scansftp activitysftp attacksftp attacksshadowsever_org-benignshell accessshell access attemptsip attackssip scanningsippsmtpsmtp attackssmtp brute forcesmtp probingsmtp scanningsnaresocial engineeringsocradarsoftware developmentsoftware exploitationspainspamsql injectionsql injection attemptsql injection attemptssql-injectionsshssh attackssh attacksssh monitoringssl vpnsuricata alertsuricata alertssynsystem discoverysystem disruptionsystemdt-pott1003t1005t1016t1018t1020t1021t1021.001t1021.002t1021.003t1021.004t1021.005t1021.006t1027t1040t1041t1046t1053t1055t1059t1059.001t1059.003t1059.004t1059.007t1068t1069.001t1071t1071.001t1076t1077t1078t1078.001t1078.002t1078.004t1083t1087t1088t1105t1110t1110.001t1110.002t1110.003t1110.004t1133t1187t1189t1190t1195t1199t1203t1204.002t1210t1486t1490t1496t1497t1499.001t1499.002t1499.003t1505.002t1550t1550.002t1550.003t1555t1555.003t1563t1565t1566t1566.001t1566.002t1566.003t1566.004t1572t1573t1573.001t1583t1587.001t1588t1588.002t1588.006t1589t1589.002t1590t1590.001t1590.002t1590.005t1592t1595t1595.001t1595.002t1595.003tannertanner activitytanner interactionstargeting databasetcp protocoltcp scantcp scanningtelecommunicationstelnet threatthreat actorthreat actor: unknownthreat detectionthreat intelligencethreat intelligence feedthreat preventionthreat-intel-feedthreat-intelligencethreat_discoverythreat_intelligencetokyotor nodetpottsecudp port scanudp scanunauthorized accessunauthorized access attemptunauthorized access attemptsunauthorized loginunauthorized login attemptunauthorized login attemptsunited statesunited states of americausvalid accountsverified-benignvnc protocolvoidtrapvoipvoip attackvpnvulnerability scanvulnerability-exploitationvultrvultr infrastructurevultr parisvultr_platform_activityweb app attackweb application attackweb application attacksweb attackweb exploitationweb exploitsweb login attemptweb shellweb shell detectionweb shell uploadweb spamweb trafficweb-attackwgetwordpot

Activity Timeline

1 total obs
Jun 19Jun 19

Threat Activity Heatmap

· Peak: 2026-06-19
Less
More
Mon
Wed
Fri
Jun
·
Jul
·
·
·
Aug
·
·
·
Sep
·
·
·
·
Oct
·
·
·
Nov
·
·
·
Dec
·
·
·
·
Jan
·
·
·
Feb
·
·
·
Mar
·
·
·
·
Apr
·
·
·
May
·
·
·
Jun
·
·
24h
0
Dormant
7d
0
Dormant
30d
1
Minimal
3mo
1
Minimal
Threat ScoreMedium Risk
63
SIGNAL
Signal Score
63%
Confidence
31
Reports
First seenAug 26, 2020
Last seenJun 19, 2026
GeolocationUS
CountryUnited States
LocationPleasanton, California
ASNAS6939
OrgThe Shadow Server Foundation
Coords37.5483, -121.9886
ProxyVPN

VirusTotal

Not checked

WHOIS

description
IPv4 hosts detected port scanning Vultr Melbourne (Australia) honeypot
raw
Hurricane Electric LLC HURRICANE-9 (NET-65-49-0-0-1) 65.49.0.0 - 65.49.127.255 The Shadowserver Foundation, Inc. HURRICANE-CE2897-3D419FB3 (NET-65-49-20-64-1) 65.49.20.64 - 65.49.20.127

Export & API

STIX 2.1 Bundle
CSV Export
Permalink

IOC Journey

medium
First detected 5 years ago · Last seen 8 days ago
Appeared in 31 threat reports