65.49.1.192

Summary (Bottom Line Up Front)

IP address 65.49.1.192 conducted sustained reconnaissance activities over 53 days (March-April 2026) targeting FortiGate appliances and industrial control systems using IEC-104 protocol probes. This represents a MEDIUM threat level with potential critical infrastructure targeting. Organizations should immediately audit internet-exposed FortiGate devices and industrial control systems for unauthorized access attempts. ##

HTTP IEC-104 IEC104 ORACLE RSYNC SMTP TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto http https https_tls_handshake smtp
FORTI_PROBE FORTI_RECON FORTI_API EXPLOIT RSYNC_RECON
Activity Timeline
UPDATE 12026-04-27T15:50:35Z
Source: Analyst Manual Entry
IP address 65.49.1.192 conducted sustained reconnaissance activities over 53 days (March-April 2026) targeting FortiGate appliances and industrial control systems using IEC-104 protocol probes. This represents a MEDIUM threat level with potential critical infrastructure targeting. Organizations should immediately audit internet-exposed FortiGate devices and industrial control systems for unauthorized access attempts.
New findings
Attack Profile: 138 events observed from March 5 09:00 to April 27 14:00, targeting 9 unique destination ports across multiple protocols including HTTP/HTTPS, IEC-104, Oracle, RSYNC, SMTP, and TLS variants.
Primary Techniques: MITRE T1046 (Network Service Scanning) with focus on FortiGate SSL VPN endpoints (/remote/logincheck, /login, /api/v2/static/not.found) and IEC 60870-5-104 industrial control protocol reconnaissance via TESTFR activation frames on port 2404/TCP.
Key Indicators: Systematic probing of FortiGate administrative paths (/migadmin/lang/legacy/legacy/filechecksum), Oracle database connection attempts, and industrial protocol abuse suggesting reconnaissance phase of potential critical infrastructure targeting campaign.
Threat Assessment: Kill chain phase indicates early reconnaissance with 5% zero-day probability; attacker demonstrated knowledge of both enterprise network security appliances and industrial control protocols.
Recommendations
  • Block IP address 65.49.1.192 at network perimeter and review logs for successful authentication attempts against FortiGate devices
  • Audit all internet-facing FortiGate SSL VPN configurations and disable unnecessary administrative interfaces from external access
  • Immediately inventory and isolate any IEC-104 protocol services accessible from internet-facing networks
  • Implement enhanced monitoring for Oracle database connection attempts and RSYNC service enumeration activities
  • Review network segmentation to ensure industrial control systems are properly isolated from internet-accessible network segments
INITIAL REPORT2026-04-10T07:22:09Z
Source: Analyst Manual Entry
External IP 65.49.1.192 conducted sustained reconnaissance activities from March 5th to April 10th, 2026, targeting FortiGate infrastructure and Oracle services across 138 events. Assessment indicates MEDIUM threat level with primary focus on network service discovery and potential VPN exploitation attempts. Organizations should immediately review FortiGate SSL VPN configurations and implement enhanced monitoring for Oracle database scanning activities.
Technical details
Attack Timeline: March 5th 09:00 - April 10th 05:00 UTC (36-day campaign)
Primary Protocols: HTTPS/TLS, Oracle TNS, SMTP, RSYNC targeting 9 unique destination ports
MITRE Technique: T1046 (Network Service Scanning) - Reconnaissance phase
Key Attack Patterns: FortiGate-focused reconnaissance (11 events) including SSL VPN login attempts, API probing, and administrative interface discovery; Oracle database scanning (1 event); RSYNC module enumeration (1 event)
Notable Payloads: `/remote/logincheck` (SSL VPN), `/api/v2/static/not.found` (API enumeration), `/login` (admin interface), `/lang/legacy/filechecksum` (file validation bypass attempts)
IOCs: 65.49.1.192 (source IP), sustained low-volume scanning pattern suggesting manual or throttled automated reconnaissance
IOCs
IP:65.49.1.192
Recommendations
  • Immediately audit FortiGate SSL VPN configurations and review authentication logs for unauthorized access attempts from 65.49.1.192
  • Implement network segmentation and access controls for Oracle database services, particularly monitoring for TNS listener probes on non-standard ports
  • Deploy enhanced logging and alerting for administrative interface access attempts across network security appliances
  • Block 65.49.1.192 at perimeter firewalls and add to threat intelligence feeds for ongoing monitoring
  • Conduct vulnerability assessment of exposed FortiGate management interfaces and ensure latest firmware updates are applied
Threat Assessment
Threat Level HIGH
AI Verdict MEDIUM
Confidence 75%
Total Events 258
Indicators of Compromise
ip 65.49.1.192
Captured Payloads (6)
HIGH EXPLOIT TCP:8080 
ET DROP Dshield Block Listed Source group 1
medium FORTI_API https:443 
/api/v2/static/not.found
medium FORTI_PROBE https:443 
/migadmin/lang/legacy/legacy/filechecksum
medium FORTI_RECON https:443 
/login
medium FORTI_SSLVPN https:443 
/remote/logincheck
MEDIUM PROTO_ABUSE TCP:2404 
ET SCADA IEC-104 TESTFR (Test Frame) Activation