Summary (Bottom Line Up Front)
High-confidence Oracle database reconnaissance activity detected from French IP 85.217.140.50 (AS209334 Modat B.V.) targeting database infrastructure over a 15-day period from March 7-22, 2026. This represents initial attack phase activity that typically precedes Oracle-specific exploitation attempts including privilege escalation and data exfiltration. Immediate blocking and enhanced database monitoring are recommended.
Activity Timeline
INITIAL REPORT2026-03-24T07:24:55Z
Source: Analyst Manual Entry
High-confidence Oracle database reconnaissance activity detected from French IP 85.217.140.50 (AS209334 Modat B.V.) targeting database infrastructure over a 15-day period from March 7-22, 2026. This represents initial attack phase activity that typically precedes Oracle-specific exploitation attempts including privilege escalation and data exfiltration. Immediate blocking and enhanced database monitoring are recommended.
Technical details
Attack Vector: Multi-protocol reconnaissance campaign utilizing TCP, TLS (1.0/1.2+), HTTPS, MQTT, and Oracle protocols across 6 unique destination ports. Primary focus on Oracle database services (port 1521) with secondary FortiGate infrastructure reconnaissance. Attack Volume: 220 events over 15-day period with sustained activity pattern. MITRE Mapping: T1018 (Remote System Discovery) indicating reconnaissance phase of attack lifecycle. Key IOCs: Source IP 85.217.140.50 with 100/100 AbuseIPDB reputation score, "ModatScanner" user agent string observed in HTTPS traffic on port 10250. Infrastructure: Modat B.V. hosting provider with no reverse DNS resolution, consistent with reconnaissance infrastructure.
IOCs
IP:85.217.140.50
ASN:209334
COUNTRY:FR
Recommendations
- Block source IP 85.217.140.50 and monitor for additional IPs from AS209334 (Modat B.V.) conducting similar reconnaissance patterns
- Implement enhanced logging and monitoring for Oracle database services (port 1521) and review authentication logs for suspicious access attempts
- Audit FortiGate device configurations and access controls following observed login page reconnaissance activity
- Deploy network segmentation controls to limit database server exposure and restrict unnecessary protocol access (MQTT/MQTTS)
- Coordinate with threat intelligence feeds to identify related campaign infrastructure and implement proactive blocking of Modat B.V. scanner infrastructure