Analyze everything or move straight to network-level blocking?

One IP. Four days. Nearly 900 user agents. Over 3,000 probes. Sometimes a single IP address tells you everything you need to know about how industrialized internet scanning has become.

ELLIO threat intelligence dashboard showing IP 93.123.109.205 from Amsterdam marked as malicious, with MITRE ATT&CK tactics, CVE vulnerabilities, and various exploit detectors including Setup.php, Jenkins, and SQL injection

Between March 6–12, a single IP address 93.123.109.205, hosted on DMZHOST in Amsterdam, lit up ELLIO Honeypot Network. What followed was a scanning spree:

• 37 detection signatures triggered
• 3,117 unique HTTP paths probed
• 899 distinct user-agent strings observed
• 7 different ports targeted

The activity included 16 exploit signatures and 21 reconnaissance/scanner signatures, touching a surprisingly wide attack surface:

Network appliances
• Cisco ASA / FTD
• Palo Alto GlobalProtect
• Sangfor
• SonicWall

Web frameworks
• WordPress
• Laravel
• ThinkPHP
• Apache OFBiz
• Jenkins

Enterprise platforms
• SAP NetWeaver
• Microsoft Exchange
• Zimbra
• Zabbix

Infrastructure targets
• Docker
• WSMAN / WinRM
• WSUS (CVE-2025-59287)
IoT / embedded devices
• TP-Link Archer AX21
• TBK DVR
• D-Link

Plus the usual web exploitation attempts:
SQL injection, XSS, LFI, path traversal, .env harvesting, and React2Shell.

ELLIO threat detection dashboard showing 37 security tags from one IP address, with 16 exploit signatures and 21 reconnaissance/scanner signatures detected over 4 days

ELLIO Platform ports timeline dashboard showing IP 93.123.109.205 with 7 open ports (443 HTTPS, 80 HTTP, 8080 HTTP, 27017 MongoDB, 43800, 61616, 8443 HTTPS) tracked from Dec 11 to Mar 11, with port 61616 flagged as spoofable

Attack Surface Map showing systematic probing across 7 ports covering Network Appliances, Web Frameworks, Enterprise Systems, Infrastructure, IoT/Embedded devices, and Web Attacks categories

Even the user-agent strings were unusual.
Among the 899 unique UAs, we saw fabricated OS identifiers like:
“CentOS Chrome 134.0”
“Fedora Chrome 137.0”
Some even contained embedded Shellshock payloads.

At the fingerprinting level, the activity was highly consistent:
• MuonFP: 42340:2-4-8-1-3:1460:12
• Two JA3 hashes
• Two JA4 hashes
• All connections classified as non-spoofable

ELLIO Platform fingerprints timeline showing IP 93.123.109.205 with 5 detected fingerprints including MuonFP, JA3, and JA4 signatures tracked from December to March

ELLIO fingerprint analysis showing consistent tooling across 899 user agents with only 1 MuonFP and 2 JA3/JA4 fingerprints, displaying technical details for each fingerprint type

Looking deeper at the infrastructure reveals a familiar pattern.
The hosting provider’s corporate footprint has cycled through multiple shell companies, all registered at the same London virtual office:

35 Firs Avenue, London N11 3NE
• Pre-2016 — Dmzhost Limited (Seychelles)
• 2016–2018 — Jupiter 25 Limited (UK)
• 2019–2024 — PPTECHNOLOGY LIMITED (UK)
• 2024–present — TECHOFF SRV LIMITED (UK) (current RIPE registrant for AS48090)

Four entities. One address. Continuous operation.
And this isn’t new.
This infrastructure has shown persistent scanning activity for nearly a decade, with the same patterns appearing repeatedly from the surrounding IP ranges.

At some point, the conclusion becomes obvious.
When activity originates from long-standing bulletproof hosting infrastructure, spending hours analyzing individual exploit attempts isn’t the best use of a defender’s time.

Sometimes the most efficient response is simply:
Block the IP range.
And focus your investigation effort on threats that actually require it.

How does your team handle abuse from persistent scanning infrastructure like this?
Do you analyze everything or move straight to network-level blocking?

Screenshot showing ELLIO's /24 Block infrastructure analysis for 93.123.109.0/24 network with 19 active IPs in Amsterdam, highlighting malicious activities including SSH brute force attacks, vulnerability scanning, and various network scanners across multiple IP addresses.

About ELLIO

ELLIO is a research-driven cybersecurity lab with a strong focus on mass exploitation and reconnaissance activity. ELLIO delivers IP-based threat intelligence, network fingerprints, and highly dynamic feeds for event prioritization and data enrichment across existing SIEM, SOAR, and other security tools. Beyond intelligence, ELLIO provides ultimate IP blocking for next-gen firewalls, a platform for centrally managing all multi-vendor blocklists and whitelists, and additional services such as network masking against scanners and eBPF-based filters that combine IP intelligence with modern network fingerprints to protect against active malicious and overly curious (promiscuous) traffic.

Enter the ELLIO Threat Platform and see mass exploitation and reconnaissance activity as they happen: https://platform.ellio.tech

Written by

ELLIO Community Team

A team of passionate brand evangelists at ELLIO, connecting and supporting the cybersecurity community through events, knowledge sharing, and collaboration.

Coordinated Credential-Stuffing Campaign Targets Palo Alto GlobalProtect Portals

A coordinated credential-stuffing campaign hit GlobalProtect VPN portals with 8,575 IPs in 48 hours. Three attack waves, 78 targeted usernames, one password. Our team breaks down the timeline, infrastructure, fingerprints, and what defenders can do.

ELLIO Threat Research Lab · Feb 26, 2026

Analyze everything or move straight to network-level blocking?

Read next

IP Blocking vs TCP Fingerprint Blocking: How to Use and Combine Them

From Scan to Exploit: Inside the Latest Cisco ASA/FTD Campaign

Coordinated Credential-Stuffing Campaign Targets Palo Alto GlobalProtect Portals