148.244.221.22

Summary (Bottom Line Up Front)

SMB reconnaissance activity was detected from IP 148.244.221.22 (León de los Aldama, Mexico) on February 26, 2026 at 22:00 UTC, targeting non-standard ports using legacy SMB protocols including vulnerable SMBv1. This represents medium-severity reconnaissance activity that could precede exploitation attempts. Network defenders should monitor for follow-on SMB exploitation attempts and consider blocking this IP if SMB services are not required from external sources.

SMB TCP TCP/SYN auto

SMB

Activity Timeline

INITIAL REPORT2026-03-16T12:30:01Z

Source: Analyst Manual Entry

Technical details

The source IP 148.244.221.22 (AS11172 Alestra) conducted 24 SMB protocol negotiation attempts over a 4-minute window targeting port 9001. Attack patterns included SMBv1 usage attempts, indicating potential reconnaissance for vulnerable legacy implementations. The activity maps to MITRE technique T1562.001 (reconnaissance phase) with no associated CVEs or zero-day indicators. Notable open ports on the source include 443, 1443, 8082, and 8083. The IP has no current reputation scoring on AbuseIPDB and no VPN association detected.

IOCs

IP:148.244.221.22

ASN:11172

COUNTRY:MX

Recommendations

Block IP 148.244.221.22 at network perimeter if SMB services are not required from external Mexican IP space
Audit all SMB services for SMBv1 usage and disable legacy protocol versions where possible
Monitor for additional SMB reconnaissance attempts targeting non-standard ports (especially 9001)
Implement enhanced logging for SMB protocol negotiations from external sources
Review firewall rules to ensure SMB ports (445, 139) are not unnecessarily exposed to internet traffic