Confidence Level

97%

Very High?

Geolocation

🇸🇬

Singapore

ISPAlibaba US Technology Co., Ltd.

ASNAS45102

Activity Timeline

First seenJan 21, 2026, 09:11 AM

Last seen5h ago

177Sessions

917Events

Protocol Breakdown

TELNET

60 / 361

HTTPS

26 / 353

DOCKER

38 / 107

SSH

53 / 96

8.222.225.103 has a very high threat confidence level of 97%, originating from Singapore, on the Alibaba US Technology Co., Ltd. network (45102). It has been observed across 177 sessions targeting TELNET, HTTPS, DOCKER, SSH, with detected attack patterns including docker remote exec via api, First observed on January 21, 2026, most recently active March 6, 2026.

Behaviors

Classified behavioral patterns observed

Docker Remote Exec Via Api

high13x

Unauthenticated or externally triggered interaction with the Docker Engine HTTP API resulting in container enumeration (GET /containers/json) followed by multiple POST /containers/{id}/exec and /exec/{id}/start calls. This pattern strongly indicates remote command execution inside running containers through the Docker daemon. In honeypot telemetry this is typically associated with attackers abusing exposed Docker sockets (2375/2376) to gain execution, deploy payloads, or stage further compromise.

Primitives

Individual actions observed

Telnet Echo Hex Escape Sequence Output114 Docker Post Method108 Docker Container Exec Path72 Telnet Command Sh57 Telnet Command Shell57 Telnet Command Enable57 Telnet Command System57 Telnet Wget Sh No Check Certificate Quiet Stdout Exec57 Docker Get Method36 Docker Exec Start Endpoint36 Docker List Containers Endpoint36 Https Body Wget Curl Pipe To Sh Apache Selfrep30 Ssh Password Authenthication.25 Https Query Thinkphp Invokefunction Md5 Probe23 Https Phpunit Eval Stdin Rce Probe15 Https Cgi Bin Percent Encoded Directory Traversal Bin Sh15 Https Php Ini Directive Injection Allow Url Include Auto Prepend File15

Related Threats

Explore related threat intelligence

🇸🇬More threats fromSingapore ASMore threats fromAlibaba US Technology Co., Ltd.TELNETMore threats targetingTELNET HTTPSMore threats targetingHTTPS DOCKERMore threats targetingDOCKER SSHMore threats targetingSSH { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
47.238.238.18	90%	21,488
47.84.17.50	75%	3
47.253.5.130	98%	440
8.215.38.113	85%	41
8.209.246.104	96%	135

IP Address	Confidence	Events
45.78.198.194	100%	426
134.122.176.63	81%	701
172.70.92.167	6%	20
139.59.243.113	63%	10
172.70.92.166	6%	20