Summary (Bottom Line Up Front)
External IP 1.22.230.154 (Bengaluru, India) conducted sustained SMB reconnaissance against non-standard ports using deprecated SMBv1 protocol over a 5-hour period on March 4, 2026. This activity represents medium-risk reconnaissance that could precede exploitation of SMB vulnerabilities. Organizations should verify SMB exposure and disable legacy protocol versions.
Activity Timeline
INITIAL REPORT2026-03-24T23:30:03Z
Source: Analyst Manual Entry
External IP 1.22.230.154 (Bengaluru, India) conducted sustained SMB reconnaissance against non-standard ports using deprecated SMBv1 protocol over a 5-hour period on March 4, 2026. This activity represents medium-risk reconnaissance that could precede exploitation of SMB vulnerabilities. Organizations should verify SMB exposure and disable legacy protocol versions.
Technical details
Source: 1.22.230.154 (AS45528 Tikona Infinet Ltd., Bengaluru, IN)
Activity Window: March 4, 2026, 08:00 - 13:00 UTC (5 hours)
Volume: 439 events targeting non-standard port 9001
Protocol: SMB with deprecated SMBv1 (NT LM 0.12) and SMBv2 variants
MITRE Technique: T1190 (Exploit Public-Facing Application)
Kill Chain Phase: Reconnaissance
Key Indicators: SMBv1 protocol negotiation attempts, non-standard port targeting, sustained scanning behavior
Payload Sample: SMB header `00000045ff534d4272000000001801c8` indicating SMBv1 usage
IOCs
IP:1.22.230.154
ASN:45528
COUNTRY:IN
Recommendations
- Audit and disable SMBv1 protocol across all Windows systems and file servers
- Review firewall rules to ensure SMB ports (445, 139) are not exposed to external networks
- Monitor for SMB traffic on non-standard ports and implement detection rules for legacy protocol usage
- Apply latest security patches for SMB-related vulnerabilities (MS17-010, CVE-2020-0796)
- Consider blocking traffic from AS45528 if no legitimate business requirements exist