103.93.93.211

Summary (Bottom Line Up Front)

IP address 103.93.93.211 conducted an automated credential stuffing attack against telnet services from March 27-30, 2026, generating 756 events targeting default credentials. This represents a MEDIUM threat level consistent with IoT botnet recruitment activities. Organizations should immediately audit telnet-enabled devices for default credentials and implement access controls.

TCP TCP/SYN TELNET

CREDENTIAL_CAPTURE

Activity Timeline

INITIAL REPORT2026-03-30T19:23:13Z

Source: Analyst Manual Entry

Technical details

Attack Vector: Automated credential stuffing via TELNET protocol using default/default credentials
Volume: 756 total events over 58-hour period (March 27 18:00 - March 30 04:00 UTC)
MITRE Technique: T1110.001 (Brute Force: Password Guessing)
Kill Chain Phase: Exploitation
Primary Patterns: CREDENTIAL_CAPTURE authentication retry attempts (99 hits) and standard authentication attempts (50 hits)
IOC: 103.93.93.211 (single source IP, no reverse DNS resolution)
Target Scope: Single destination port, indicating focused reconnaissance

IOCs

IP:103.93.93.211

Recommendations

Immediately audit all telnet-enabled devices and systems for default credentials, prioritizing IoT devices and network infrastructure
Block or restrict telnet access (TCP/23) at network perimeters and implement SSH as a secure alternative where remote access is required
Deploy rate limiting and account lockout policies for authentication attempts to mitigate brute force attacks
Monitor for authentication failures and implement alerting for credential stuffing patterns across all remote access services
Consider blocking traffic from IP 103.93.93.211 and monitor for similar attack patterns from related infrastructure