Confidence Level

92%

Very High?

Geolocation

🇺🇸

United StatesLos Angeles

ISPMULTACOM CORPORATION

ASNAS35916

Activity Timeline

First seenFeb 6, 2026, 07:14 PM

Last seen27d ago

4Sessions

105Events

Protocol Breakdown

HTTP

2 / 96

DOCKER

1 / 6

SSH

1 / 3

74.48.118.149 has a very high threat confidence level of 92%, originating from Los Angeles, United States, on the MULTACOM CORPORATION network (35916). It has been observed across 4 sessions targeting HTTP, DOCKER, SSH, with detected attack patterns including http mass web rce exploitation scanning, docker remote exec via api, First observed on February 6, 2026, most recently active February 11, 2026.

Behaviors

Classified behavioral patterns observed

Http Mass Web Rce Exploitation Scanning

high2x

Coordinated automated exploitation attempts targeting public-facing web services, including PHPUnit eval-stdin access, PHP-CGI argument injection, Docker API exposure, directory traversal, ThinkPHP invokeFunction abuse, and command execution patterns (wget/curl pipe to shell). Identifies opportunistic bot-driven RCE scanning and framework-specific exploit chaining against internet-exposed applications.

Docker Remote Exec Via Api

high1x

Unauthenticated or externally triggered interaction with the Docker Engine HTTP API resulting in container enumeration (GET /containers/json) followed by multiple POST /containers/{id}/exec and /exec/{id}/start calls. This pattern strongly indicates remote command execution inside running containers through the Docker daemon. In honeypot telemetry this is typically associated with attackers abusing exposed Docker sockets (2375/2376) to gain execution, deploy payloads, or stage further compromise.

Primitives

Individual actions observed

Http Method Get86 Http Php Echo Md5 Hello Phpunit Marker74 Http Body Wget Curl Pipe To Sh Selfrep4 Http Thinkphp Invokefunction Call User Func Array Md54 Http Php Shell Exec Base64 Decode Cve 2024 4577 Attempt4 Http Php Cgi Allow Url Include Auto Prepend Input Injection4 Docker Post Method3 Docker Container Exec Path2 Http Cgi Bin Direct Bin Sh Access2 Http Phpunit Eval Stdin Php Path Access2 Http Phpunit License Eval Stdin Path Probe2 Http Docker Api Containers Json Path Access2 Http Phpunit Util Php Eval Stdin Path Access2 Http Root Phpunit Src Eval Stdin Path Access2 Http Root Phpunit Util Eval Stdin Path Access2 Http Double Vendor Phpunit Eval Stdin Path Probe2 Http Phpunit Src Util Php Eval Stdin Path Access2 Http Root Phpunit Util Php Eval Stdin Path Access2 Http Lang Parameter Deep Path Traversal Tmp Index12 Http Pearcmd Config Create Path Traversal Md5 Write2

Related Threats

Explore related threat intelligence

🇺🇸More threats fromUnited States ASMore threats fromMULTACOM CORPORATION HTTPMore threats targetingHTTP DOCKERMore threats targetingDOCKER SSHMore threats targetingSSH { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
142.171.95.117	88%	274
142.171.227.226	83%	9
66.154.124.165	100%	857
148.135.91.153	23%	1
66.154.125.60	100%	772

IP Address	Confidence	Events
192.241.137.129	97%	30
130.12.180.80	97%	20,136
130.12.180.53	91%	19,280
23.94.28.163	97%	1,517
143.198.117.108	99%	52