3.134.216.108

Summary (Bottom Line Up Front)

External IP address 3.134.216.108 conducted sustained multi-protocol reconnaissance against network infrastructure over 30 days, targeting SMB, Fortinet devices, and multiple other services. This HIGH-risk activity demonstrates systematic network mapping behavior consistent with pre-attack reconnaissance phases. Immediate blocking and enhanced monitoring of targeted services is recommended.

HTTP Modbus SSH TCP TCP/SYN TLS TLS/1.0 Unknown auto https oracle smb

FORTI_RECON SMB

Activity Timeline

INITIAL REPORT2026-03-14T17:42:04Z

Source: batch_hunting

Technical details

Source: 3.134.216.108 (US-based, AbuseIPDB score 100/100)
Timeline: February 11, 2026 12:00 - March 13, 2026 20:00 (131 total events)
Protocols: SMB, HTTP/HTTPS, SSH, Modbus, TLS, Oracle, TCP reconnaissance
Attack Patterns: SMBv1 protocol negotiation attempts, Fortinet device login page enumeration
MITRE Techniques: T1190 (Exploit Public-Facing Application)
CVE Associations: CVE-2017-0144 (EternalBlue/SMBv1 vulnerabilities)
Kill Chain Phase: Reconnaissance with potential for exploitation escalation
Target Scope: 6 unique destination ports across multiple protocols

IOCs

IP:3.134.216.108

COUNTRY:US

Recommendations

Block IP address 3.134.216.108 at perimeter firewalls and update threat intelligence feeds
Disable SMBv1 protocol on all Windows systems and network devices if not operationally required
Review and harden Fortinet device configurations, ensuring default credentials are changed and unnecessary services disabled
Implement enhanced monitoring for multi-protocol scanning patterns targeting critical infrastructure protocols (Modbus, SMB, SSH)
Conduct vulnerability assessment focusing on public-facing services identified in the reconnaissance activity