85.217.140.37

Summary (Bottom Line Up Front)

IP address 85.217.140.37 conducted a sustained multi-protocol reconnaissance campaign from March 7 to April 20, 2026, targeting 16 unique ports across FTP, MQTT, Oracle, RDP, SMTP, and SSH services with 97 total events. This activity represents low-risk service discovery and enumeration rather than active exploitation attempts. Network defenders should monitor for follow-on activity and implement standard reconnaissance detection controls. ##

FTP MQTT ORACLE RDP SMTP SSH TCP TCP/SYN TLS TLS/1.0 TLS/1.2+ auto https mqtt oracle
FORTI_RECON IOT_ATTACK ORACLE_SCAN RDP_SCAN SCANNER
Activity Timeline
INITIAL REPORT2026-04-20T08:07:11Z
Source: Analyst Manual Entry
IP address 85.217.140.37 conducted a sustained multi-protocol reconnaissance campaign from March 7 to April 20, 2026, targeting 16 unique ports across FTP, MQTT, Oracle, RDP, SMTP, and SSH services with 97 total events. This activity represents low-risk service discovery and enumeration rather than active exploitation attempts. Network defenders should monitor for follow-on activity and implement standard reconnaissance detection controls.
Technical details
Attack Vector: Multi-protocol network scanning and service enumeration
Activity Period: March 7, 2026 15:00 - April 20, 2026 03:00 UTC
Volume: 97 events across 16 destination ports
Primary Techniques: Network service scanning (MITRE T1046 - Network Service Scanning)
Targeted Services: MQTT (IoT/OT infrastructure), Oracle databases, RDP, SSH, SMTP, Fortinet devices
Key Indicators: EHLO commands on port 25/SMTP, ModatScanner tool usage on port 6443/HTTPS, Fortinet login page reconnaissance
Assessment: Reconnaissance phase activity with expanding toolkit suggesting methodical infrastructure mapping
IOCs: 85.217.140.37
IOCs
IP:85.217.140.37
Recommendations
  • Monitor network logs for follow-on activity from 85.217.140.37 and implement IP-based blocking if consistent with security policies
  • Review and harden exposed services identified in scanning activity, particularly MQTT brokers, Oracle databases, and RDP endpoints
  • Implement network segmentation to limit reconnaissance scope, especially for IoT/OT infrastructure on MQTT port 1883
  • Deploy reconnaissance detection rules to identify similar multi-protocol scanning patterns targeting diverse service portfolios
  • Conduct asset inventory validation to ensure all exposed services on scanned ports are authorized and properly secured
Threat Assessment
Threat Level HIGH
AI Verdict LOW
Confidence 85%
Total Events 162
Indicators of Compromise
ip 85.217.140.37
Captured Payloads (2)
medium IOT_ATTACK SMTP:25 
{"phase": "command", "command": "EHLO", "dst_port": 25}
info SCANNER https:6443 
ModatScanner