65.49.1.80

Summary (Bottom Line Up Front)

IP address 65.49.1.80 conducted a sustained multi-protocol reconnaissance campaign from February 21 to April 27, 2026, targeting industrial control systems, network infrastructure, and enterprise services across 14 unique ports with 135 recorded events. The threat is assessed as HIGH severity due to targeting of critical infrastructure protocols (S7COMM, Modbus) and enterprise systems (SMB, LDAP, Oracle). Immediate blocking and network monitoring for similar activity patterns is recommended. ##

ADB FTP HTTP LDAP Modbus ORACLE S7COMM SMB TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ VNC auto http https oracle smtp
EXPLOIT FORTI_PROBE FORTI_RECON LDAP_RECON ADB_ATTACK
Activity Timeline
INITIAL REPORT2026-04-27T15:56:23Z
Source: Analyst Manual Entry
IP address 65.49.1.80 conducted a sustained multi-protocol reconnaissance campaign from February 21 to April 27, 2026, targeting industrial control systems, network infrastructure, and enterprise services across 14 unique ports with 135 recorded events. The threat is assessed as HIGH severity due to targeting of critical infrastructure protocols (S7COMM, Modbus) and enterprise systems (SMB, LDAP, Oracle). Immediate blocking and network monitoring for similar activity patterns is recommended.
Technical details
Attack Profile: 66-day campaign employing broad reconnaissance techniques across industrial and enterprise protocols including S7COMM (Siemens industrial controls), Modbus, SMB, LDAP, Oracle, and FortiGate VPN infrastructure. Primary MITRE technique T1595.001 (Active Scanning: Scanning IP Blocks) with kill chain phase focused on reconnaissance. Notable attack patterns include SMB1 exploitation attempts, FortiGate SSL VPN login probing via `/remote/logincheck`, LDAP directory searches, and Oracle database connection attempts. High-confidence indicators include DShield blocklist presence and protocol layer mismatches suggesting evasion techniques.
Key IOCs:
  • Source IP: 65.49.1.80
  • Targeted ports: 389/TCP (LDAP), 443/HTTPS (FortiGate), 8080/TCP, 102/TCP (S7COMM)
  • Attack signatures: FortiGate API probing (`/api/v2/static/not.found`), legacy admin paths (`/migadmin/lang/legacy/`), SMB1 protocol abuse
IOCs
IP:65.49.1.80
Recommendations
  • Block 65.49.1.80 at network perimeter and monitor for additional IPs exhibiting similar multi-protocol scanning patterns
  • Implement enhanced monitoring for industrial protocol traffic (S7COMM port 102, Modbus) and restrict access to authorized systems only
  • Review FortiGate SSL VPN logs for unauthorized login attempts and consider implementing additional authentication controls
  • Audit SMB configurations to disable SMB1 protocol and ensure proper network segmentation for file sharing services
  • Deploy network behavior analytics to detect future multi-protocol reconnaissance campaigns targeting diverse infrastructure components
Threat Assessment
Threat Level HIGH
AI Verdict HIGH
Confidence 85%
Total Events 239
Indicators of Compromise
ip 65.49.1.80
Captured Payloads (6)
HIGH EXPLOIT TCP:389 
ET DROP Dshield Block Listed Source group 1
medium FORTI_API https:443 
/api/v2/static/not.found
medium FORTI_PROBE https:443 
/migadmin/lang/legacy/legacy/filechecksum
medium FORTI_RECON https:443 
/login
medium FORTI_SSLVPN https:443 
/remote/logincheck
MEDIUM PROTO_ABUSE TCP:8080 
SURICATA Applayer Mismatch protocol both directions