66.132.153.130

Summary (Bottom Line Up Front)

IP address 66.132.153.130 conducted sustained reconnaissance and scanning activities against multiple targets from March 3-12, 2026, generating 118 security events across web services and infrastructure ports. The activity demonstrates medium-severity automated scanning behavior with focus on service enumeration and version disclosure. Network defenders should implement enhanced monitoring for scanning patterns and consider blocking this IP if activity continues.

HTTP TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ https https_tls_handshake oracle

SCANNER reconnaissance

Activity Timeline

INITIAL REPORT2026-03-14T17:49:01Z

Source: batch_hunting

Technical details

Attack Vector: Multi-protocol scanning campaign utilizing HTTP/HTTPS, TLS handshakes, and Oracle database protocols across 3 unique destination ports. Techniques: Automated reconnaissance using Censys-style scanning patterns and bot user agents, including attempts to enumerate Kubernetes version information. Volume: 118 events over 9-day period (March 3 16:00 - March 12 21:00 UTC). MITRE Mapping: T1046 (Network Service Scanning), T1595.001 (Active Scanning: Scanning IP Blocks). Threat Intelligence: AbuseIPDB maximum confidence score (100/100) indicates established malicious reputation. IOCs: Source IP 66.132.153.130, protocols include TLS 1.0/1.2+, Oracle database scanning, and infrastructure enumeration patterns.

IOCs

IP:66.132.153.130

COUNTRY:US

Recommendations

Block IP address 66.132.153.130 at perimeter firewalls and web application firewalls to prevent continued reconnaissance
Review and harden exposed Oracle database services, ensuring proper access controls and network segmentation
Implement rate limiting on web services to mitigate automated scanning attempts and bot traffic
Monitor for similar scanning patterns targeting Kubernetes infrastructure and container orchestration platforms
Correlate this IP with existing threat intelligence feeds and update security tooling with IOCs for future detection