Confidence Level

100%

Very High?

Geolocation

🇸🇬

Singapore

ISPAlibaba US Technology Co., Ltd.

ASNAS45102

Activity Timeline

First seenJan 23, 2026, 10:30 AM

Last seen1h ago

First reportedMar 4, 2026, 07:40 AM

Last reported4d ago

300Sessions

977Events

2Reports

Protocol Breakdown

DOCKER

95 / 274

HTTPS

26 / 267

TELNET

60 / 239

SSH

118 / 196

HTTP

1 / 1

47.236.171.142 has a very high threat confidence level of 100%, originating from Singapore, on the Alibaba US Technology Co., Ltd. network (45102). It has been observed across 300 sessions targeting DOCKER, HTTPS, TELNET, SSH, HTTP, with detected attack patterns including docker remote exec via api, http mass web rce exploitation scanning, First observed on January 23, 2026, most recently active March 10, 2026.

Behaviors

Classified behavioral patterns observed

Docker Remote Exec Via Api

high35x

Attacker interaction with an exposed Docker Engine API resulting in container enumeration followed by remote command execution inside running containers. The sequence of GET /containers/json and subsequent POST /containers/{id}/exec and /exec/{id}/start calls represents deliberate hands-on-keyboard activity where the adversary uses the Docker daemon as a control plane to execute commands, deploy payloads, or pivot further within the host environment. This behavior reflects active container abuse observed directly through high-interaction honeypot instrumentation.

Http Mass Web Rce Exploitation Scanning

high1x

Coordinated automated exploitation attempts targeting public-facing web services, including PHPUnit eval-stdin access, PHP-CGI argument injection, Docker API exposure, directory traversal, ThinkPHP invokeFunction abuse, and command execution patterns (wget/curl pipe to shell). Identifies opportunistic bot-driven RCE scanning and framework-specific exploit chaining against internet-exposed applications.

Primitives

Individual actions observed

Docker Post Method266 Docker Container Exec Path178 Telnet Echo Hex Escape Sequence Output100 Docker Get Method93 Docker List Containers Endpoint93 Docker Exec Start Endpoint88 Telnet Command Enable49 Telnet Command Sh48 Telnet Command Shell48 Telnet Command System47 Telnet Wget Sh No Check Certificate Quiet Stdout Exec47 Http Method Get42 Ssh Password Authenthication.37 Http Php Echo Md5 Hello Phpunit Marker37 Https Php Ini Directive Injection Allow Url Include Auto Prepend File24 Https Query Thinkphp Invokefunction Md5 Probe23 Https Body Wget Curl Pipe To Sh Apache Selfrep22 Https Path Root12 Https Phpunit Eval Stdin Rce Probe12 Https Cgi Bin Percent Encoded Directory Traversal Bin Sh11

User Reports

2 reports from 1 contributor

Date	Category	Protocol	Comment
Mar 6, 2026	Brute Force	TELNET	SikkerGuard: 4 blocked packets
Mar 4, 2026	Brute Force	TELNET	SikkerGuard: 2 blocked packets

Related Threats

Explore related threat intelligence

🇸🇬More threats fromSingapore ASMore threats fromAlibaba US Technology Co., Ltd.DOCKERMore threats targetingDOCKER HTTPSMore threats targetingHTTPS TELNETMore threats targetingTELNET SSHMore threats targetingSSH HTTPMore threats targetingHTTP { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
8.217.99.201	84%	2,081
47.83.201.2	61%	18
8.216.6.206	35%	3
47.83.217.124	59%	25
47.238.96.199	55%	21

IP Address	Confidence	Events
139.59.110.5	89%	160
152.42.218.175	78%	122
45.78.198.162	100%	611
15.235.182.207	56%	1
139.59.97.17	46%	7