65.49.1.152

Summary (Bottom Line Up Front)

IP address 65.49.1.152 conducted sustained reconnaissance activities from March 15 to April 17, 2026, targeting multiple protocols including FortiGate infrastructure, Oracle databases, IoT devices, and Kubernetes clusters across 59 observed events. Assessment indicates LOW threat level with medium confidence, representing opportunistic scanning rather than targeted attack activity. Network defenders should implement enhanced monitoring for the identified attack patterns and block the source IP as a precautionary measure. ##

HTTP MODBUS Modbus ORACLE SMB SMTP TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto https smtp
IOT_ATTACK FORTI_PROBE FORTI_RECON FORTI_API MODBUS_RECON
Activity Timeline
INITIAL REPORT2026-04-17T12:50:20Z
Source: Analyst Manual Entry
IP address 65.49.1.152 conducted sustained reconnaissance activities from March 15 to April 17, 2026, targeting multiple protocols including FortiGate infrastructure, Oracle databases, IoT devices, and Kubernetes clusters across 59 observed events. Assessment indicates LOW threat level with medium confidence, representing opportunistic scanning rather than targeted attack activity. Network defenders should implement enhanced monitoring for the identified attack patterns and block the source IP as a precautionary measure.
Technical details
Attack Timeline: March 15, 2026 11:00 - April 17, 2026 06:00 (33-day campaign)
Protocols Targeted: HTTP, HTTPS, MODBUS, Oracle, SMB, SMTP, TLS variants
Primary Techniques: Network service discovery, vulnerability scanning, credential access attempts
MITRE ATT&CK Mapping: T1046 (Network Service Scanning), T1595 (Active Scanning)
Key Attack Patterns: FortiGate infrastructure probing (11 events), IoT MQTT command injection attempts (6 events), Oracle database reconnaissance (1 event), SMBv1 exploitation probes (1 event)
Notable Anomalies: HTTP traffic directed at Oracle port 1521/TCP indicating protocol tunneling or misconfiguration
IOCs: 65.49.1.152, FortiGate API paths (/api/v2/static/not.found, /migadmin/lang/legacy/legacy/filechecksum), Kubernetes version enumeration attempts
IOCs
IP:65.49.1.152
Recommendations
  • Block IP address 65.49.1.152 at network perimeter and implement monitoring for similar scanning patterns across FortiGate, Oracle, and IoT infrastructure
  • Review and harden FortiGate SSL VPN configurations, particularly login endpoints and API access controls identified in reconnaissance attempts
  • Disable SMBv1 protocol across the network environment and implement enhanced logging for SMB negotiation attempts
  • Deploy additional monitoring for Oracle database port 1521 focusing on HTTP protocol anomalies and unauthorized connection attempts
  • Implement network segmentation to isolate IoT devices and industrial control systems from general network access
Threat Assessment
Threat Level LOW
AI Verdict LOW
Confidence 85%
Total Events 176
Indicators of Compromise
ip 65.49.1.152
Captured Payloads (9)
HIGH ANOMALY TCP:1521 
ET SCAN Suspicious inbound to Oracle SQL port 1521
HIGH EXPLOIT TCP:1521 
ET DROP Dshield Block Listed Source group 1
medium FORTI_API https:443 
/api/v2/static/not.found
medium FORTI_PROBE https:443 
/migadmin/lang/legacy/legacy/filechecksum
medium FORTI_RECON https:443 
/login
medium FORTI_SSLVPN https:443 
/remote/logincheck
medium IOT_ATTACK SMTP:25 
{"phase": "command", "command": "Accept-Encoding: gzip", "dst_port": 25}
high K8S_ATTACK https:6443 
GET /version User-Agent:
MEDIUM PROTO_ABUSE TCP:1521 
SURICATA Applayer Detect protocol only one direction