Critical Alert
IP 103.181.143.104 is a critical-risk address originating from Indonesian hosting infrastructure that has been directly linked to active SSH intrusion attempts, accumulating 220 separate abuse reports from automated honeypot sensors in a concentrated November 2025 timeframe. With a threat-level score of 10 out of 10 and a 72% confidence rating, this IP represents a sophisticated and persistent attack asset operating from network operator PT Cloud Hosting Indonesia via ASN AS136052, making it a clear candidate for immediate blocking at the network perimeter.
The abuse record shows 220 total reports attributed to this single address, with 20 of the most recent reports specifically categorizing the activity as Hacking, all sourced from automated honeypot detection systems rather than organic community reports. The identical first and last reported dates of November 2025 indicate this was not an isolated incident but rather a sustained campaign detected over the course of a single month. The high report volume against a static IP confirms this is not opportunistic scanning but rather a deliberate, repeated offensive infrastructure node being actively used to probe external SSH services.
The attack pattern associated with IP 103.181.143.104 involves SSH activity including command-input manipulation, which is consistent with credential-guessing campaigns and brute-force intrusion attempts against exposed SSH daemons. SSH brute-force attacks exploit weak or default authentication credentials to gain unauthorized shell access, after which threat actors typically deploy backdoors, cryptocurrency miners or further lateral-movement tooling. An IP with 220 separate detection events represents a determined adversary that will continue attempting authentication across all exposed targets in range, making passive monitoring an insufficient response.
Network defenders should implement immediate blocking of 103.181.143.104 at the firewall or edge-equipment level and ensure the block is distributed across any inline intrusion-prevention systems. SSH services should be hardened by enforcing key-based authentication exclusively, disabling root-login permissions and deploying rate-limiting mechanisms such as fail2ban or equivalent tooling to automatically blackhole brute-force source IPs after a threshold of failed attempts. Port 22 should never be exposed to untrusted networks without such controls in place, and operators with exposed SSH services should audit all authentication logs for matching source IPs and revoke any compromised credentials as a precaution.
UA 
GB