Summary (Bottom Line Up Front)
External host 85.50.194.51 (Orange Espagne SA/Spain) conducted SMB1 protocol reconnaissance targeting legacy implementations on non-standard ports between February 27-March 8, 2026. This activity represents MEDIUM-risk reconnaissance with potential preparation for SMB-based exploitation campaigns. Immediate blocking and SMB1 protocol hardening recommended.
Activity Timeline
INITIAL REPORT2026-03-15T09:10:13Z
Source: Analyst Manual Entry
External host 85.50.194.51 (Orange Espagne SA/Spain) conducted SMB1 protocol reconnaissance targeting legacy implementations on non-standard ports between February 27-March 8, 2026. This activity represents MEDIUM-risk reconnaissance with potential preparation for SMB-based exploitation campaigns. Immediate blocking and SMB1 protocol hardening recommended.
Technical details
- Source: 85.50.194.51 (AS12479 Orange Espagne SA, Águilas, Spain)
- Activity Period: February 27, 2026 07:00 - March 8, 2026 05:00 UTC
- Attack Vector: SMB1 protocol negotiation using legacy NT LM 0.12 dialect
- Target Ports: Non-standard SMB ports including 9001
- MITRE Technique: T1190 (Exploit Public-Facing Application)
- Kill Chain Phase: Reconnaissance
- Volume: 17 events across 2 unique destination ports
- AbuseIPDB Score: 100/100 (maximum malicious rating)
- Open Services: MySQL (3306), TeamSpeak (10011), DVR/Camera (37777)
IOCs
IP:85.50.194.51
ASN:12479
COUNTRY:ES
Recommendations
- Block IP 85.50.194.51 at network perimeter and add to threat intelligence feeds
- Disable SMB1 protocol across all Windows systems and network devices immediately
- Audit and restrict SMB traffic to standard ports (445/139) with proper authentication
- Monitor for additional SMB1 negotiation attempts on non-standard ports
- Review logs for any successful SMB connections from this source IP for potential compromise assessment