180.76.172.156 — Beijing Baidu Netcom Science and Technology Co., Ltd., CN — Very High (100%)

Check an IP Address, Domain Name, Subnet, or ASN

180.76.172.156 was found in our database!

Confidence Level

100%

Very High?

Geolocation

🇨🇳

China

ISPBeijing Baidu Netcom Science and Technology Co., Ltd.

ASNAS38365

Activity Timeline

First seenJan 20, 2026, 03:57 PM

Last seen1h ago

First reportedFeb 27, 2026, 12:16 AM

Last reported4d ago

604Sessions

2,249Events

1Reports

Protocol Breakdown

TELNET

157 / 794

HTTP

30 / 658

SSH

333 / 482

HTTPS

45 / 212

DOCKER

39 / 103

180.76.172.156 has a very high threat confidence level of 100%, originating from China, on the Beijing Baidu Netcom Science and Technology Co., Ltd. network (38365). It has been observed across 604 sessions targeting TELNET, HTTP, SSH, HTTPS, DOCKER, with detected attack patterns including http mass web rce exploitation scanning, docker remote exec via api, First observed on January 20, 2026, most recently active March 3, 2026.

Behaviors

Classified behavioral patterns observed

Http Mass Web Rce Exploitation Scanning

high21x

Coordinated automated exploitation attempts targeting public-facing web services, including PHPUnit eval-stdin access, PHP-CGI argument injection, Docker API exposure, directory traversal, ThinkPHP invokeFunction abuse, and command execution patterns (wget/curl pipe to shell). Identifies opportunistic bot-driven RCE scanning and framework-specific exploit chaining against internet-exposed applications.

Docker Remote Exec Via Api

high12x

Unauthenticated or externally triggered interaction with the Docker Engine HTTP API resulting in container enumeration (GET /containers/json) followed by multiple POST /containers/{id}/exec and /exec/{id}/start calls. This pattern strongly indicates remote command execution inside running containers through the Docker daemon. In honeypot telemetry this is typically associated with attackers abusing exposed Docker sockets (2375/2376) to gain execution, deploy payloads, or stage further compromise.

Primitives

Individual actions observed

Http Method Get990 Http Php Echo Md5 Hello Phpunit Marker863 Telnet Echo Hex Escape Sequence Output198 Docker Post Method109 Telnet Command Sh99 Telnet Command Shell99 Telnet Command System99 Telnet Wget Sh No Check Certificate Quiet Stdout Exec99 Telnet Command Enable98 Https Body Wget Curl Pipe To Sh Apache Selfrep83 Https Php Ini Directive Injection Allow Url Include Auto Prepend File76 Docker Container Exec Path73 Http Body Wget Curl Pipe To Sh Selfrep52 Http Php Shell Exec Base64 Decode Cve 2024 4577 Attempt51 Http Php Cgi Allow Url Include Auto Prepend Input Injection51 Http Thinkphp Invokefunction Call User Func Array Md546 Https Cgi Bin Percent Encoded Directory Traversal Bin Sh40 Https Path Root38 Docker Get Method38 Docker List Containers Endpoint38

User Reports

1 report from 1 contributor

Date	Category	Protocol	Comment
Feb 27, 2026	Brute Force	SSH	SikkerGuard: 2 blocked packets

Related Threats

Explore related threat intelligence

🇨🇳More threats fromChina ASMore threats fromBeijing Baidu Netcom Science and Technology Co., Ltd.TELNETMore threats targetingTELNET HTTPMore threats targetingHTTP SSHMore threats targetingSSH HTTPSMore threats targetingHTTPS DOCKERMore threats targetingDOCKER { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
106.12.29.184	100%	658
120.48.52.58	100%	668
106.13.181.87	53%	362
180.76.202.69	100%	629
106.13.121.235	100%	677

IP Address	Confidence	Events
39.103.198.31	83%	678
210.14.142.89	100%	840
122.115.225.109	100%	504
106.12.29.184	100%	660
36.134.69.15	100%	487