45.205.1.50

Summary (Bottom Line Up Front)

Automated reconnaissance activity from IP 45.205.1.50 has been observed probing for HTTP proxy functionality on port 9001 using Go HTTP client, likely testing systems for potential abuse as traffic relay infrastructure. This represents a MEDIUM threat level with moderate confidence, indicating preparatory activity for potential proxy abuse or command-and-control establishment. Network defenders should implement enhanced monitoring for proxy-related traffic and consider blocking the identified source IP.

TCP TCP/SYN auto

SCANNER

Activity Timeline

INITIAL REPORT2026-03-25T10:19:27Z

Source: Analyst Manual Entry

Technical details

Attack Vector: TCP-based scanning targeting port 9001 with Go HTTP client user agent attempting to identify exploitable proxy services. Volume: 53 events observed between March 17, 2026 19:00 and March 24, 2026 15:00 UTC across 3 unique destination ports. MITRE Technique: T1090.003 (Multi-hop Proxy) during Reconnaissance phase. Key Indicators: Source IP 45.205.1.50 with no reverse DNS resolution, utilizing automated scanning patterns consistent with proxy discovery tools. Protocols: TCP and TCP SYN scanning with automated characteristics suggesting scripted reconnaissance rather than manual testing.

IOCs

IP:45.205.1.50

Recommendations

Block traffic from source IP 45.205.1.50 at network perimeter and document for threat intelligence sharing
Implement enhanced monitoring for HTTP proxy requests on non-standard ports, particularly port 9001 and adjacent ranges
Review and harden any legitimate proxy services to prevent unauthorized access and abuse for traffic tunneling
Deploy detection rules for Go HTTP client user agents conducting systematic port scanning across infrastructure
Conduct internal assessment of systems listening on port 9001 to verify legitimate business requirements and proper access controls

medium SCANNER TCP:9001

Go-http-client