Confidence Level

100%

Very High?

Geolocation

🇺🇸

United StatesNorth Bergen

ISPDigitalOcean, LLC

ASNAS14061

Activity Timeline

First seenFeb 23, 2026, 12:24 PM

Last seen7m ago

169Sessions

169Events

Protocol Breakdown

SSH

117 / 117

REDIS

45 / 45

ELASTICSEARCH

6 / 6

MSSQL

1 / 1

24.199.94.250 has a very high threat confidence level of 100%, originating from North Bergen, United States, on the DigitalOcean, LLC network (14061). It has been observed across 169 sessions targeting SSH, REDIS, ELASTICSEARCH, MSSQL, with detected attack patterns including ssh host fingerprint and shell rc immutable removal, First observed on February 23, 2026, most recently active March 10, 2026.

Behaviors

Classified behavioral patterns observed

Ssh Host Fingerprint And Shell Rc Immutable Removal

very_high111x

Execution of a multi-command host fingerprinting script that collects kernel details, architecture, uptime, CPU count and model, GPU information, login history, and binary help characteristics, combined with chattr -i $HOME/.bashrc $HOME/.zshrc 2>/dev/null || true to remove the immutable attribute from user shell initialization files in the current user’s home directory.

Redis Automated Service Fingerprinting Sequence

low4x

Identifies an automated Redis service probing sequence consisting of PING, INFO (uppercase invocation), execution of a deliberately nonexistent command to assess error handling behavior, and QUIT. This tightly grouped pattern reflects reconnaissance and fingerprinting activity used by scanners and exploitation frameworks to determine Redis version, configuration details, and command availability prior to follow-on exploitation attempts. The inclusion of a nonexistent command indicates capability probing rather than normal client interaction.

Elastic Service Validation And Index Enumeration

low2x

Client first performs a generic request to the Elasticsearch root endpoint to verify service availability, then proceeds to request /_cat/indices. This sequence reflects staged Elasticsearch reconnaissance where the actor validates that the cluster is reachable before attempting index enumeration and data exposure assessment. Compared to direct index enumeration behaviors, the interaction begins with a service-validation step, suggesting adaptive probing rather than immediate Elasticsearch-specific targeting.

Primitives

Individual actions observed

Ssh Compute And Environment Fingerprint Script111 Unix Chattr Remove Immutable Flag Home Shell Rc111 Elastic Http Get Request19 Redis Command Http Host Header Port 637913 Redis Command Http Connection Close11 Redis Command Http User Agent Go Http Client 1 18 Redis Ping6 Redis Info Uppercase6 Redis Nonexistent Command5 Redis Quit4 Elastic Root Path Probe4 Elastic Http Bad Request Path Probe4 Elastic Cat Indices Enumeration2 Redis Command Get Solr Admin Cores Status Http112

Related Threats

Explore related threat intelligence

🇺🇸More threats fromUnited States ASMore threats fromDigitalOcean, LLC SSHMore threats targetingSSH REDISMore threats targetingREDIS ELASTICSEARCHMore threats targetingELASTICSEARCH MSSQLMore threats targetingMSSQL { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
167.71.115.113	90%	3,410
139.59.6.234	69%	25
142.93.7.213	50%	190
167.172.106.60	88%	113
142.93.166.69	63%	34

IP Address	Confidence	Events
130.12.180.53	91%	17,965
104.234.32.189	84%	968
185.218.138.20	97%	1,084
91.92.243.52	91%	17,565
130.12.180.101	91%	17,294