223.184.169.119

Summary (Bottom Line Up Front)

IP address 223.184.169.119 conducted sustained SMB exploitation probes targeting port 445 over approximately 1.5 hours on March 26, 2026, generating 2,049 security events with 448 confirmed SMB exploit probe attempts. This activity represents a SUSPICIOUS threat level indicating potential reconnaissance for SMB vulnerabilities. Network defenders should immediately review SMB exposure and implement enhanced monitoring for this IP address.

MySQL SMB TCP TCP/SYN

SMB_EXPLOIT_PROBE

Activity Timeline

INITIAL REPORT2026-03-26T15:13:27Z

Source: Analyst Manual Entry

Technical details

The threat actor executed a focused campaign targeting SMB services exclusively on port 445, demonstrating knowledge of Windows file sharing vulnerabilities. Attack patterns included 448 instances of SMB version 1 detection probes, suggesting attempts to identify legacy SMB implementations vulnerable to known exploits. The sustained 1.5-hour attack window (05:00-07:00 hours) indicates automated tooling rather than manual reconnaissance. The attacker utilized multiple protocols (MySQL, SMB, TCP, TCP/SYN) suggesting a broader scanning capability beyond SMB-specific attacks. No specific CVEs were identified, but the focus on SMB v1 detection aligns with historical exploitation of MS17-010 and related vulnerabilities.

IOCs

IP:223.184.169.119

Recommendations

Block IP address 223.184.169.119 at network perimeter and document for threat hunting activities
Audit all systems with SMB port 445 exposed to external networks and disable unnecessary SMB services
Ensure SMB version 1 is disabled across all Windows systems and enable SMB signing requirements
Implement enhanced logging and monitoring for SMB connection attempts from external IP ranges
Review network segmentation to prevent lateral movement if SMB exploitation occurs on internal systems