Confidence Level

99%

Very High?

Geolocation

🇮🇳

IndiaNoida

ISPCtrlS

ASNAS18229

Activity Timeline

First seenFeb 6, 2026, 08:31 AM

Last seen29d ago

29Sessions

814Events

Protocol Breakdown

HTTPS

9 / 424

HTTP

6 / 288

DOCKER

10 / 60

TELNET

3 / 39

SSH

1 / 3

45.194.90.45 has a threat confidence score of 99%. This IP address from India (AS18229, CtrlS) has been observed in 29 honeypot sessions targeting HTTPS, HTTP, DOCKER, TELNET, SSH protocols. Detected attack patterns include docker remote exec via api, http mass web rce exploitation scanning. First observed on February 6, 2026, most recently active February 10, 2026.

Behaviors

Classified behavioral patterns observed

Docker Remote Exec Via Api

high10x

Unauthenticated or externally triggered interaction with the Docker Engine HTTP API resulting in container enumeration (GET /containers/json) followed by multiple POST /containers/{id}/exec and /exec/{id}/start calls. This pattern strongly indicates remote command execution inside running containers through the Docker daemon. In honeypot telemetry this is typically associated with attackers abusing exposed Docker sockets (2375/2376) to gain execution, deploy payloads, or stage further compromise.

Http Mass Web Rce Exploitation Scanning

high6x

Coordinated automated exploitation attempts targeting public-facing web services, including PHPUnit eval-stdin access, PHP-CGI argument injection, Docker API exposure, directory traversal, ThinkPHP invokeFunction abuse, and command execution patterns (wget/curl pipe to shell). Identifies opportunistic bot-driven RCE scanning and framework-specific exploit chaining against internet-exposed applications.

Primitives

Individual actions observed

Http Method Get258 Http Php Echo Md5 Hello Phpunit Marker222 Docker Post Method30 Docker Container Exec Path20 Https Query Thinkphp Invokefunction Md5 Probe16 Https Body Wget Curl Pipe To Sh Apache Selfrep16 Https Php Ini Directive Injection Allow Url Include Auto Prepend File16 Http Body Wget Curl Pipe To Sh Selfrep12 Http Thinkphp Invokefunction Call User Func Array Md512 Http Php Shell Exec Base64 Decode Cve 2024 4577 Attempt12 Http Php Cgi Allow Url Include Auto Prepend Input Injection12 Docker Get Method10 Docker Exec Start Endpoint10 Docker List Containers Endpoint10 Https Path Root8 Https Phpunit Eval Stdin Rce Probe8 Https Cgi Bin Percent Encoded Directory Traversal Bin Sh8 Http Cgi Bin Direct Bin Sh Access6 Telnet Echo Hex Escape Sequence Output6 Http Phpunit Eval Stdin Php Path Access6

Related Threats

Explore related threat intelligence

🇮🇳More threats fromIndia ASMore threats fromCtrlS HTTPSMore threats targetingHTTPS HTTPMore threats targetingHTTP DOCKERMore threats targetingDOCKER TELNETMore threats targetingTELNET SSHMore threats targetingSSH { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
182.18.161.165	100%	946
103.161.31.4	31%	110
103.77.27.114	35%	3
182.18.180.44	79%	19,387
36.255.3.203	100%	808

IP Address	Confidence	Events
98.70.219.245	77%	15
203.192.197.194	50%	22
103.106.155.133	58%	24
45.115.176.141	99%	6
122.165.41.79	46%	7