66.132.172.182

Summary (Bottom Line Up Front)

IP address 66.132.172.182 conducted an extensive 32-day scanning campaign from March 25 to April 26, 2026, targeting multiple protocols including industrial control systems, Kubernetes infrastructure, and enterprise services. Despite generating 490 security events across 8 destination ports, this activity is assessed as automated reconnaissance with LOW threat level due to its association with known scanning infrastructure (Censys). Network defenders should monitor for follow-on exploitation attempts from related infrastructure. ##

FTP HTTP MQTT ORACLE Oracle/TNS S7COMM S7comm SSH TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ http https mqtt oracle
PROTO_ABUSE EXPLOIT ORACLE_SCAN SCANNER
Activity Timeline
INITIAL REPORT2026-04-26T08:31:55Z
Source: Analyst Manual Entry
IP address 66.132.172.182 conducted an extensive 32-day scanning campaign from March 25 to April 26, 2026, targeting multiple protocols including industrial control systems, Kubernetes infrastructure, and enterprise services. Despite generating 490 security events across 8 destination ports, this activity is assessed as automated reconnaissance with LOW threat level due to its association with known scanning infrastructure (Censys). Network defenders should monitor for follow-on exploitation attempts from related infrastructure.
Technical details
Attack Profile: Multi-protocol scanning operation targeting FTP, HTTP/HTTPS, MQTT, Oracle/TNS, S7COMM (industrial protocols), SSH, and TLS services. Primary attack vectors included protocol abuse (68 instances), exploitation attempts (3 high-severity events), and systematic reconnaissance of Fortinet devices and Kubernetes etcd services.
Key Indicators: Source exhibited scanning behaviors consistent with Censys research infrastructure, including version disclosure requests against etcd (port 2379), Oracle TNS probes using zgrab2, and Fortinet device enumeration via /robots.txt requests. The campaign demonstrated knowledge of industrial control system protocols (S7COMM) and container orchestration platforms.
Attribution: Activity correlates with legitimate security research scanning rather than targeted intrusion, supported by 100/100 AbuseIPDB reputation score and Censys user-agent strings in captured traffic.
IOCs
IP:66.132.172.182
COUNTRY:US
Recommendations
  • Block IP 66.132.172.182 at network perimeter and monitor for scanning activity from related ASN ranges
  • Implement enhanced monitoring for ports 2379 (etcd), 1521 (Oracle), and 502/102 (S7COMM) to detect similar reconnaissance attempts
  • Review Fortinet device configurations to ensure administrative interfaces are not exposed to internet scanning
  • Deploy protocol-aware detection rules for industrial control system traffic (S7COMM) if such systems are present in the environment
  • Correlate this scanning activity with subsequent connection attempts from different source IPs within 48-72 hours
Threat Assessment
Threat Level LOW
AI Verdict NOISE
Confidence 95%
Total Events 553
AbuseIPDB 100/100
Indicators of Compromise
ip 66.132.172.182
country US
Captured Payloads (6)
HIGH EXPLOIT TCP:2379 
ET DROP Dshield Block Listed Source group 1
medium FORTI_PROBE https:443 
/robots.txt
medium K8S_ATTACK HTTP:2379 
etcd version disclosure
medium ORACLE_SCAN Oracle/TNS:1521 
PROGRAM=zgrab2
MEDIUM PROTO_ABUSE TCP:2379 
SURICATA Applayer Mismatch protocol both directions
medium SCANNER HTTP:2379 
Censys