Severe Risk
IP 123.25.97.130, registered to VNPT Corp in Vietnam under ASN AS45899, is a critical-risk address with a threat level of 10 out of 10 and a 93% confidence score, linked to sustained SSH brute-force intrusion activity against exposed servers worldwide. This IP has accumulated 322 total abuse reports across multiple automated honeypot sensors over a five-month window from January to May 2026, with an activity frequency rated 8 out of 10, indicating persistent and repeated assault campaigns rather than opportunistic probing.
The detection data reveals a concentrated threat profile dominated by SSH attacks, accounting for 16 of the most recent reports, supplemented by 17 hacking-intrusion reports and 2 reports classifying this address as an exploited host being used as an attack platform. Suricata alerts specifically documented SSH sessions in progress on expected SSH ports alongside active brute-force authentication attempts, confirming that the operator behind 123.25.97.130 is systematically targeting remote-access services to obtain unauthorized server credentials. The volume of reports, the consistency of the attack pattern, and the dual classification as both attacker and exploited host suggest this infrastructure poses a multifaceted threat to any internet-facing service it encounters.
SSH brute-force attacks represent a direct pathway to server compromise, allowing threat actors to gain shell access, deploy persistent backdoors, exfiltrate sensitive data, or leverage the compromised host for further lateral movement within networks. The classification of this IP as an exploited host further indicates that the attacking infrastructure may itself be partially compromised and being weaponized by multiple actors, amplifying the risk to targeted organizations. The sustained activity frequency of 8 out of 10 demonstrates that these attempts are methodical and ongoing rather than isolated, meaning any exposed SSH service will repeatedly attract attention from this source.
Organizations with SSH services exposed to the internet should block 123.25.97.130 at the network perimeter immediately and consider alerting VNPT Corp regarding the abusive activity originating from their AS45899 allocation. Implement key-based authentication exclusively, disable root login, and change the default SSH port to reduce automated targeting. Deploy fail2ban or equivalent dynamic blocking tools to automatically ban IPs exhibiting brute-force behavior patterns. Regular monitoring of authentication logs for attempts originating from this address range and enforcement of strong, non-dictionary passwords will further harden defenses against credential-guessing campaigns of this nature.
FR