Confidence Level

98%

Very High?

Geolocation

🇨🇳

ChinaHangzhou

ISPHangzhou Alibaba Advertising Co.,Ltd.

ASNAS37963

Activity Timeline

First seenJan 20, 2026, 05:45 PM

Last seen29m ago

First reportedMar 9, 2026, 09:34 PM

Last reported5h ago

271Sessions

1,201Events

1Reports

Protocol Breakdown

HTTPS

27 / 520

TELNET

57 / 352

SSH

157 / 259

DOCKER

29 / 69

HTTP

1 / 1

121.43.125.129 has a very high threat confidence level of 98%, originating from Hangzhou, China, on the Hangzhou Alibaba Advertising Co.,Ltd. network (37963). It has been observed across 271 sessions targeting HTTPS, TELNET, SSH, DOCKER, HTTP, with detected attack patterns including docker remote exec via api, First observed on January 20, 2026, most recently active March 10, 2026.

Behaviors

Classified behavioral patterns observed

Docker Remote Exec Via Api

high10x

Attacker interaction with an exposed Docker Engine API resulting in container enumeration followed by remote command execution inside running containers. The sequence of GET /containers/json and subsequent POST /containers/{id}/exec and /exec/{id}/start calls represents deliberate hands-on-keyboard activity where the adversary uses the Docker daemon as a control plane to execute commands, deploy payloads, or pivot further within the host environment. This behavior reflects active container abuse observed directly through high-interaction honeypot instrumentation.

Primitives

Individual actions observed

Telnet Echo Hex Escape Sequence Output95 Docker Post Method83 Docker Container Exec Path56 Telnet Wget Sh No Check Certificate Quiet Stdout Exec48 Telnet Command Shell47 Telnet Command Enable47 Telnet Command Sh46 Telnet Command System46 Https Body Wget Curl Pipe To Sh Apache Selfrep31 Https Php Ini Directive Injection Allow Url Include Auto Prepend File30 Docker Get Method29 Docker List Containers Endpoint29 Docker Exec Start Endpoint27 Ssh Password Authenthication.27 Https Query Thinkphp Invokefunction Md5 Probe18 Https Path Root15 Https Phpunit Eval Stdin Rce Probe15 Https Cgi Bin Percent Encoded Directory Traversal Bin Sh15

User Reports

1 report from 1 contributor

Date	Category	Protocol	Comment
Mar 9, 2026	Brute Force	SSH	SikkerGuard: 2 blocked packets

Related Threats

Explore related threat intelligence

🇨🇳More threats fromChina ASMore threats fromHangzhou Alibaba Advertising Co.,Ltd.HTTPSMore threats targetingHTTPS TELNETMore threats targetingTELNET SSHMore threats targetingSSH DOCKERMore threats targetingDOCKER HTTPMore threats targetingHTTP { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
47.105.86.190	83%	27,690
47.102.97.229	30%	2
139.129.13.203	85%	29,520
47.121.189.28	62%	43
119.23.238.54	53%	596

IP Address	Confidence	Events
47.105.207.193	84%	1,587
115.190.24.136	100%	688
42.180.130.120	65%	160
120.209.186.110	80%	111
47.93.1.160	82%	16,714