193.142.146.230

Summary (Bottom Line Up Front)

Source IP 193.142.146.230 (Netherlands/ColocaTel Datacenter) conducted low-severity reconnaissance activities against authentication endpoints over a 16-day period from February 26 to March 14, 2026. The activity involved automated scanning using Go HTTP clients with limited credential testing attempts, consistent with pre-attack reconnaissance behavior. Network defenders should monitor for escalation while implementing standard hardening measures.

HTTP TCP TCP/SYN auto
SCANNER CREDENTIAL CRLF
Activity Timeline
UPDATE 22026-03-19T13:39:17Z
Source: Analyst Manual Entry
Source IP 193.142.146.230 (Netherlands/ColocaTel Datacenter) conducted low-severity reconnaissance activities against authentication endpoints over a 16-day period from February 26 to March 14, 2026. The activity involved automated scanning using Go HTTP clients with limited credential testing attempts, consistent with pre-attack reconnaissance behavior. Network defenders should monitor for escalation while implementing standard hardening measures.
New findings
The threat actor conducted 211 events across multiple protocols (HTTP, TCP, TCP/SYN) targeting 2 unique destination ports, with SSH (port 22) confirmed open on the source system. Attack patterns included automated scanning via bot user agents (11 instances), authentication payload testing (1 instance), and CRLF injection attempts (1 instance). The activity maps to MITRE ATT&CK technique T1595.002 (Active Scanning: Vulnerability Scanning) within the Reconnaissance phase of the kill chain. The source maintains a maximum AbuseIPDB reputation score of 100/100, indicating established malicious behavior patterns. Key IOC: 193.142.146.230 (AS213438 ColocaTel Datacenter, Kerkrade, NL).
Recommendations
  • Block source IP 193.142.146.230 at perimeter firewalls and web application firewalls
  • Monitor authentication endpoints for unusual scanning patterns and implement rate limiting on login interfaces
  • Review logs for any successful authentication attempts from this source or related infrastructure
  • Consider blocking or restricting traffic from AS213438 (ColocaTel Datacenter) if operationally feasible
  • Enhance monitoring for MITRE T1595.002 indicators and establish alerts for reconnaissance-to-exploitation escalation patterns
UPDATE 12026-03-16T07:17:04Z
Source: Analyst Manual Entry
IP address 193.142.146.230 (Netherlands/ColocaTel Datacenter) conducted sustained reconnaissance activities against authentication endpoints over a 16-day period, generating 211 security events. Assessment indicates LOW severity reconnaissance behavior typical of pre-attack preparation phases. Network defenders should implement enhanced monitoring for authentication interfaces and consider blocking this IP address.
New findings
  • Source: 193.142.146.230 (AS213438 ColocaTel Datacenter, Kerkrade, NL)
  • Activity Period: February 26, 2026 18:00 - March 14, 2026 17:00 (16 days)
  • Attack Volume: 211 total events across 2 unique destination ports
  • Protocols: HTTP, TCP, TCP/SYN scanning
  • Attack Types: Automated scanning (11 hits), credential reconnaissance (1 hit), CRLF injection attempts (1 hit)
  • MITRE Technique: T1595.002 (Active Scanning: Vulnerability Scanning)
  • Kill Chain Phase: Reconnaissance
  • Threat Indicators: AbuseIPDB score 100/100, Linux-based scanning using Go HTTP client
  • IOC: 193.142.146.230
Recommendations
  • Block IP address 193.142.146.230 at network perimeter and web application firewalls
  • Implement enhanced logging and monitoring for authentication endpoints, particularly login interfaces
  • Review and strengthen rate limiting controls on web applications to prevent automated reconnaissance
  • Monitor for additional scanning activity from AS213438 (ColocaTel Datacenter) infrastructure
  • Conduct security assessment of any systems that received traffic from this IP address during the specified timeframe
INITIAL REPORT2026-03-14T17:37:33Z
Source: batch_hunting
Threat actor operating from IP 193.142.146.230 (Netherlands/ColocaTel Datacenter) conducted a sustained 16-day campaign targeting network infrastructure with scanning, credential attacks, and injection attempts totaling 201 events. Assessment: MEDIUM threat level with high confidence based on 100/100 AbuseIPDB reputation score and diverse attack vectors. Immediate blocking and enhanced monitoring recommended.
Technical details
Source conducted multi-protocol attacks from February 26, 2026 19:00 to March 14, 2026 15:00 UTC targeting 2 unique destination ports. Primary attack vectors included automated scanning operations (10 events), credential-based authentication attacks (1 event), and CRLF injection attempts (1 event) across HTTP and TCP protocols. Infrastructure assessment indicates Linux-based system with SSH service exposed on port 22. MITRE ATT&CK mappings include T1595 (Active Scanning), T1110 (Brute Force), and T1190 (Exploit Public-Facing Application). Key IOC: 193.142.146.230 with 100% malicious confidence rating from threat intelligence feeds.
IOCs
IP:193.142.146.230
ASN:213438
COUNTRY:NL
Recommendations
  • Block IP 193.142.146.230 at perimeter firewalls and web application firewalls immediately
  • Monitor for additional activity from ASN AS213438 (ColocaTel Datacenter) and implement enhanced logging
  • Review authentication logs for any successful credential compromise attempts during the attack window
  • Implement rate limiting on public-facing services to mitigate automated scanning and brute force attacks
  • Validate input sanitization controls to prevent CRLF injection vulnerabilities in web applications
Threat Assessment
Threat Level LOW
AI Verdict LOW
Confidence 85%
Total Events 209
AbuseIPDB 100/100
Indicators of Compromise
ip 193.142.146.230
asn 213438
country NL