{"id":2499,"date":"2026-04-15T01:04:22","date_gmt":"2026-04-15T01:04:22","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/"},"modified":"2026-04-15T01:04:22","modified_gmt":"2026-04-15T01:04:22","slug":"scanning-for-ai-models-tue-apr-14th","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/","title":{"rendered":"Scanning for AI Models, (Tue, Apr 14th)"},"content":{"rendered":"
\n

Starting March 10, 2026, my DShield sensor started getting probe for various AI models such as claude, openclaw, huggingface, etc. Reviewing the data already reported by other DShield sensors to ISC, the DShield database shows reporting of these probes started that day and has been active ever since.<\/p>\n

Based on what we currently have reported, it appears the only source scanning for these models is IP 81.168.83.103<\/span>. However, my sensor has been actively scanned by this source since January 29, 2026 and is still ongoing today. Beside the AI probe, it has been scanning various ports that are often associated with web content.<\/p>\n

\"\"<\/p>\n

Reviewing the scanning activity from this host, it appears this source is the only IP we see reported to DShield performing this activity.\u00a0<\/p>\n

\nES|QL Query<\/strong><\/span> [1<\/a>]<\/p>\n

Using this ES|QL query in Kibana discover, it lists all the URL the actor is looking for. I recorded 52 queries between March 10 to April 13, 2026 where April 3rd, 2026 received the most activity.<\/p>\n

FROM cowrie*\u00a0
\n| WHERE event.reference == “no match”
\n| WHERE http.request.body.content IS NOT NULL
\n| KEEP @timestamp, http.request.body.content
\n| WHERE http.request.body.content LIKE “*openclaw*” OR http.request.body.content LIKE “*claude*” OR \u00a0http.request.body.content LIKE “*huggingface*” OR \u00a0http.request.body.content LIKE “*openai*” \u00a0OR \u00a0http.request.body.content LIKE “*clawdbot*”<\/span>
\n| SORT @timestamp DESC
\n| STATS Total=COUNT(http.request.body.content) BY AI_Scan_Activity=BUCKET(@timestamp, 50, ?_tstart, ?_tend)<\/span><\/p>\n

\"\"<\/p>\n

This graph shows the start of activity searching for clawbot\/moltbot<\/span> first reported March 10, 2026 ever since then.<\/p>\n

\"\"Indicators<\/strong><\/span><\/p>\n

81.168.83.103 (AS 20860)
\n\/.openclaw\/workspace\/db.sqlite
\n\/.openclaw\/workspace\/chroma.db
\n\/.openclaw\/secrets.json
\n\/.clawdbot\/moltbot.json
\n\/.claude\/settings.json
\n\/.claude\/.credentials.json
\n\/.cache\/huggingface\/token
\n\/openai\/env.json
\n\/openai\/credentials.json<\/p>\n

[1] https:\/\/www.elastic.co\/guide\/en\/elasticsearch\/reference\/8.19\/esql-functions-operators.html
\n[2<\/a>] https:\/\/isc.sans.edu\/weblogs\/urlhistory.html?url=Ly5jYWNoZS9odWdnaW5nZmFjZS90b2tlbg== (\/.cache\/huggingface\/token)
\n[3<\/a>] https:\/\/isc.sans.edu\/weblogs\/urlhistory.html?url=Ly5jbGF3ZGJvdC9tb2x0Ym90Lmpzb24= (\/.clawdbot\/moltbot.json)
\n[4<\/a>] https:\/\/isc.sans.edu\/weblogs\/urlhistory.html?url=Ly5vcGVuY2xhdy9zZWNyZXRzLmpzb24= (\/.openclaw\/secrets.json)
\n[5<\/a>] https:\/\/www.ox.security\/blog\/one-step-away-from-a-massive-data-breach-what-we-found-inside-moltbot\/
\n[6<\/a>] https:\/\/www.virustotal.com\/gui\/ip-address\/81.168.83.103
\n[7<\/a>] https:\/\/www.shodan.io\/host\/81.168.83.103 (Linux system)<\/p>\n

———–
\nGuy Bruneau IPSS Inc.<\/a>
\nMy GitHub Page<\/a>
\nTwitter: GuyBruneau<\/a>
\ngbruneau at isc dot sans dot edu<\/p>\n

(c) SANS Internet Storm Center. https:\/\/isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"

Starting March 10, 2026, my DShield sensor started getting probe for various AI models such as claude, openclaw, huggingface, etc. Reviewing the data already reported by other DShield sensors to ISC, the DShield database shows reporting of these probes started that day and has been active ever since. Based on what we currently have reported, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"site-container-style":"default","site-container-layout":"default","site-sidebar-layout":"default","disable-article-header":"default","disable-site-header":"default","disable-site-footer":"default","disable-content-area-spacing":"default","footnotes":""},"categories":[90],"tags":[91],"class_list":["post-2499","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"yoast_head":"\nScanning for AI Models, (Tue, Apr 14th) - Imperative Business Ventures Limited<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Scanning for AI Models, (Tue, Apr 14th) - Imperative Business Ventures Limited\" \/>\n<meta property=\"og:description\" content=\"Starting March 10, 2026, my DShield sensor started getting probe for various AI models such as claude, openclaw, huggingface, etc. Reviewing the data already reported by other DShield sensors to ISC, the DShield database shows reporting of these probes started that day and has been active ever since. Based on what we currently have reported, […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/\" \/>\n<meta property=\"og:site_name\" content=\"Imperative Business Ventures Limited\" \/>\n<meta property=\"article:published_time\" content=\"2026-04-15T01:04:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png\" \/>\n<meta name=\"author\" content=\"admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/\"},\"author\":{\"name\":\"admin\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"headline\":\"Scanning for AI Models, (Tue, Apr 14th)\",\"datePublished\":\"2026-04-15T01:04:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/\"},\"wordCount\":396,\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png\",\"keywords\":[\"Cybersecurity\"],\"articleSection\":[\"Cybersecurity\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/\",\"url\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/\",\"name\":\"Scanning for AI Models, (Tue, Apr 14th) - Imperative Business Ventures Limited\",\"isPartOf\":{\"@id\":\"https:\/\/blog.ibvl.in\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png\",\"datePublished\":\"2026-04-15T01:04:22+00:00\",\"author\":{\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\"},\"breadcrumb\":{\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#primaryimage\",\"url\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png\",\"contentUrl\":\"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/blog.ibvl.in\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Scanning for AI Models, (Tue, Apr 14th)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/blog.ibvl.in\/#website\",\"url\":\"https:\/\/blog.ibvl.in\/\",\"name\":\"Imperative Business Ventures Limited\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/blog.ibvl.in\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02\",\"name\":\"admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g\",\"caption\":\"admin\"},\"sameAs\":[\"https:\/\/blog.ibvl.in\"],\"url\":\"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Scanning for AI Models, (Tue, Apr 14th) - Imperative Business Ventures Limited","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/","og_locale":"en_US","og_type":"article","og_title":"Scanning for AI Models, (Tue, Apr 14th) - Imperative Business Ventures Limited","og_description":"Starting March 10, 2026, my DShield sensor started getting probe for various AI models such as claude, openclaw, huggingface, etc. Reviewing the data already reported by other DShield sensors to ISC, the DShield database shows reporting of these probes started that day and has been active ever since. Based on what we currently have reported, […]","og_url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/","og_site_name":"Imperative Business Ventures Limited","article_published_time":"2026-04-15T01:04:22+00:00","og_image":[{"url":"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png","type":"","width":"","height":""}],"author":"admin","twitter_card":"summary_large_image","twitter_misc":{"Written by":"admin","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#article","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/"},"author":{"name":"admin","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"headline":"Scanning for AI Models, (Tue, Apr 14th)","datePublished":"2026-04-15T01:04:22+00:00","mainEntityOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/"},"wordCount":396,"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png","keywords":["Cybersecurity"],"articleSection":["Cybersecurity"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/","url":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/","name":"Scanning for AI Models, (Tue, Apr 14th) - Imperative Business Ventures Limited","isPartOf":{"@id":"https:\/\/blog.ibvl.in\/#website"},"primaryImageOfPage":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#primaryimage"},"image":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#primaryimage"},"thumbnailUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png","datePublished":"2026-04-15T01:04:22+00:00","author":{"@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02"},"breadcrumb":{"@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#primaryimage","url":"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png","contentUrl":"https:\/\/isc.sans.edu\/diaryimages\/images\/81_168_83_103_pic1.png"},{"@type":"BreadcrumbList","@id":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/15\/scanning-for-ai-models-tue-apr-14th\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/blog.ibvl.in\/"},{"@type":"ListItem","position":2,"name":"Scanning for AI Models, (Tue, Apr 14th)"}]},{"@type":"WebSite","@id":"https:\/\/blog.ibvl.in\/#website","url":"https:\/\/blog.ibvl.in\/","name":"Imperative Business Ventures Limited","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/blog.ibvl.in\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/55b87b72a56b1bbe9295fe5ef7a20b02","name":"admin","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/blog.ibvl.in\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4d20b2cd313e4417a599678e950e6fb7d4dfa178a72f2b769335a08aaa615aa9?s=96&d=mm&r=g","caption":"admin"},"sameAs":["https:\/\/blog.ibvl.in"],"url":"https:\/\/blog.ibvl.in\/index.php\/author\/admin_hcbs9yw6\/"}]}},"_links":{"self":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/comments?post=2499"}],"version-history":[{"count":0,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/posts\/2499\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/media?parent=2499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/categories?post=2499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ibvl.in\/index.php\/wp-json\/wp\/v2\/tags?post=2499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}