Cybersecurity Reach Foundation
Back to Investigations
/Threat Investigation/by Narek Grigoryan

Port 445 Attacks from Three Indonesian IPs: Findings and Analysis

A T-Pot honeypot logged three distinct Indonesian IP addresses scanning port 445 roughly 80,000 times. Using OSINT tools — IPInfo, AbuseIPDB, Shodan, and Whois — this investigation traces the traffic back to residential proxies, misconfigured MikroTik routers, and what may be a single threat actor hiding behind legitimate Indonesian ISPs.

Narek Grigoryan

SOC Analyst, Cybersecurity Reach Foundation

Executive Summary

Port 445 is the port responsible for the SMB (Server Message Block) protocol, which facilitates communication and file transfer between devices running Windows OS. Though SMB is a useful protocol that permits efficient workflows in enterprise environments, it is also a port that, if unsecured, can be compromised by threat actors. Targeting another device's unsecured port 445 is suspicious at best, and becomes even more suspicious when the source device is located on another continent.

T-Pot Findings

T-Pot — a honeypot that logs attacks — was able to log three distinct IPs that, in total, have scanned the honeypot about 80,000 times — significantly more than other IPs on an individual basis. All three IPs originated in different locations within Indonesia, which raises the question of why a foreign router wants to access an unsecured port of what it assumes is a legitimate device. The three IPs that pinged the honeypot were 157.85.212.10, 157.10.107.99, and 157.15.117.26, in chronological order. For simplicity, each IP will be referred to numerically based on the time of their attack.

LabelIP AddressLocation (City)Date Active
IP 1157.85.212.10Soreang, West JavaMay 20, 2026
IP 2157.10.107.99Astana Hilir, West JavaMay 20, 2026
IP 3157.15.117.26Medan, North SumatraJun 2, 2026

Investigation Goals

  • Use OSINT tools to identify the devices that the IPs belong to
  • Identify possible patterns to rationalize the attacks
  • Identify possible relevant CVEs

157.85.212.10

The first of the major Indonesian IPs to scan the honeypot was 157.85.212.10 (IP 1). IP 1 is the least documented of the three across common OSINT resources, with sites like Shodan and Censys having no information. However, a few critical details can be surmised from IPInfo, AbuseIPDB, and Whois.

IPInfo shows that the router is a residential proxy. This means that the connection originates from a real home internet or mobile network, but is being actively used to route traffic for a third party. IPInfo suggests that the true origin of the attack isn't Indonesia at all, but an actor from an unknown country.

IPInfo results for 157.85.212.10 showing it flagged as a residential proxy on AS139994 (PT XL Axiata)
IPInfo results for 157.85.212.10 showing it flagged as a residential proxy on AS139994 (PT XL Axiata)

Whois reveals that the IP is connected to a legitimate ISP in Indonesia called XLSMART, which shows why this IP would be valuable to a threat actor — traffic from a known ISP looks much more legitimate than traffic from a suspicious VPS website.

Whois record for 157.85.212.10 tying it to XLSMART / PT XL Axiata Tbk
Whois record for 157.85.212.10 tying it to XLSMART / PT XL Axiata Tbk

AbuseIPDB lists four community reports for this IP, with one explicitly mentioning repeated unauthorized connection attempts, host sweeping, and port 445 scanning, independently corroborating the observed activity in T-Pot.

AbuseIPDB reports for 157.85.212.10, including one citing host sweeping and port 445 scanning
AbuseIPDB reports for 157.85.212.10, including one citing host sweeping and port 445 scanning

157.10.107.99

The second Indonesian IP to attack the honeypot was 157.10.107.99 (IP 2), and it attacked about half a day after IP 1. In addition to a residential proxy, IP 2 also uses a VPN according to IPInfo. Although IP 1 and IP 2 use different residential proxies (711Proxy vs Proxy.cc), both had an 86% usage rate in the last 7 days. Though it could be two unrelated attacks running similarly heavy campaigns, it's possible that the same threat actor is diversifying their proxies to cover their tracks.

IPInfo results for 157.10.107.99 showing both VPN and residential proxy (Proxy.cc) detections on AS58495
IPInfo results for 157.10.107.99 showing both VPN and residential proxy (Proxy.cc) detections on AS58495

AbuseIPDB shows that IP 2's ISP is PT Green Mobile Technology, another legitimate Indonesian ISP, though it is much smaller than XLSMART. It has been reported once, but only for a port 23 scan.

AbuseIPDB record for 157.10.107.99 listing PT Green Mobile Technology as the ISP
AbuseIPDB record for 157.10.107.99 listing PT Green Mobile Technology as the ISP

Unlike IP 1, IP 2 has a detailed page in Shodan:

Shodan open-ports page for 157.10.107.99 showing ports 21, 53, 161, 1723 and 8728 on a MikroTik router
Shodan open-ports page for 157.10.107.99 showing ports 21, 53, 161, 1723 and 8728 on a MikroTik router

According to the SNMP description (boxed in red), this is a MikroTik router with RouterOS RB5009UG+S+. This is a heavy-duty router with great processing power that's supposed to be used in racks, meaning it is unlikely to be a home router. The hostname "Dist-Jujungnet-Sumedang" (boxed in green) supports this, as "dist" is likely short for distribution, and Jujungnet is a local ISP. This naming convention suggests distribution equipment for a more local ISP, not someone's home router. IP 2 also exposes several ports that add to its vulnerability: FTP (21) transmits credentials in plaintext, DNS (53) has recursion enabled, making it susceptible to amplification attacks, SNMP (161) leaks device information publicly, PPTP (1723) runs a cryptographically broken VPN protocol, and the MikroTik API (8728) provides programmatic router access that should never be internet-facing. Overall, this router has severe vulnerabilities for what's supposed to be a router that's a downstream ISP.

157.15.117.26

The third Indonesian IP to attack the honeypot was 157.15.117.26. This attack came about 12 days after the first two, and was much more reported on AbuseIPDB than the other two, suggesting a longer history of operation. Many of the other reports also cite brute force attacks and scans on port 445, further corroborating the findings.

AbuseIPDB record for 157.15.117.26 showing 53 reports and 40% abuse confidence on PT Trias Infra Sarana
AbuseIPDB record for 157.15.117.26 showing 53 reports and 40% abuse confidence on PT Trias Infra Sarana

Like IP 2, IP 3 has both a VPN and a residential proxy under Proxy.cc according to IPInfo, suggesting a pattern in the anonymization across at least the last two IPs, with IP 2 and IP 3 sharing the same Proxy.cc infrastructure.

IPInfo results for 157.15.117.26 showing VPN and Proxy.cc residential proxy detections
IPInfo results for 157.15.117.26 showing VPN and Proxy.cc residential proxy detections

IP 3's Shodan page shows that it uses a MikroTik RB3011UiAS (boxed in red) — different from IP 2's and less powerful, but still a rack-mountable device, not a home router. The name boxed in blue reads "PPKS.MARIHAT," which stands for "Pusat Penelitian Kelapa Sawit — Unit Marihat", and is an official branch of the Indonesian Oil Palm Research Institute. Unlike IP 2, IP 3 belongs to a research institution.

Shodan open-ports page for 157.15.117.26 showing a MikroTik RB3011UiAS with hostname PPKS.MARIHAT
Shodan open-ports page for 157.15.117.26 showing a MikroTik RB3011UiAS with hostname PPKS.MARIHAT

Observations and Conclusions

When looking back at all three attacks, it would be more expected for the first two attacks to have been done by the same perpetrator due to the small time gap between the two; however, IP 2 and IP 3 actually share more similarities than IP 1 and IP 2 despite the 12-day gap, suggesting the latter two are more likely connected. It is possible that all three attacks originated from the same entity, with IPs 1 and 2 being used as scanners, while IP 3 was being used for attacks — this would be supported by Shodan, which shows significantly more community reports against IP 3 than the other two, suggesting a more established and active history of malicious use.

Both IP-2 and IP-3 share open ports 161 (SNMP) and 1723 (PPTP). SNMP with default configurations leaks device information that aids further attacks, while PPTP is a deprecated protocol with broken authentication that is easily exploitable and shouldn't be internet-facing on any device. At the time of writing, no CVEs are relevant to the specific hardware and router OS found; it is more likely that the routers of interest were abused through their negligently open ports.

Stay Protected

Use our free tools to protect yourself from the threats discussed in this investigation.