Extreme Threat
IP 103.226.138.52 is a maximum-threat-level address operated by PT Cloud Hosting Indonesia that has generated 704 independent abuse reports from automated honeypot sensors over approximately seven months, with the dominant threat profile consisting of sustained SSH brute-force intrusion attempts against exposed servers.
The IP, registered in Indonesia under ASN 136052, was first reported in October 2025 with the most recent activity logged in May 2026, indicating a persistent and methodical campaign spanning roughly seven months. All 704 reports originated from 20 separate automated honeypot sensors, confirming that this address is actively scanning and attacking SSH services across diverse network environments. Attack-pattern data reveals repeated fail2ban violations for sshd brute-force activity, with individual sensor logs documenting between 10 and 33 authentication-violation events per detection instance. The threat categories recorded include SSH intrusion attempts (18 reports), general hacking activity (3 reports), and exploited-host indicators (2 reports), suggesting that this address may itself be operating as a compromised attack platform rather than a dedicated threat actor infrastructure.
SSH brute-force attacks represent a high-severity threat to any internet-exposed server running the SSH daemon, as successful credential compromise grants attackers persistent command-line access to compromised systems. The consistent pattern of repeated authentication violations observed across multiple sensors indicates automated credential-guessing or dictionary attacks rather than opportunistic probing. When combined with the "Exploited Host" classification, this activity suggests the compromised infrastructure is being weaponized by threat actors to conduct further scanning, which means blocking this address alone does not resolve the underlying host compromise issue for the legitimate network operator.
Site operators running publicly accessible SSH services should immediately block this IP address at the network perimeter firewall level and implement key-based authentication to eliminate password-based login vectors entirely. Deploying fail2ban or equivalent intrusion-prevention tools configured to automatically block repeated authentication failures will disrupt brute-force campaigns. Changing the default SSH port from 22 to a non-standard port reduces automated scanning exposure, and disabling root login over SSH eliminates a high-value target account. Organizations should consider notifying the hosting provider, PT Cloud Hosting Indonesia, about the potential host compromise so they can investigate and remediate the compromised infrastructure contributing to this malicious activity.
KR 
GB 
HK