Elevated Risk
IP 161.49.212.117 is a high-risk address linked to sustained port-scanning reconnaissance and hacking activity, originating from Converge ICT Solutions Inc. in the Philippines. With a threat level of 8 out of 10 and 241 accumulated reports, this address presents a significant and credible danger to exposed network services. The elevated confidence score of 93 percent indicates that automated honeypot sensors have consistently identified this source across multiple detection events within the reporting window.
Analysis of the available data reveals 241 total incident reports attributed to IP 161.49.212.117, with an activity frequency rated at 8 out of 10. Detection came exclusively from automated honeypot sensors, which logged an equal distribution of 20 recent reports for port-scanning activity and 20 for hacking-related probes. The address was first reported in April 2026 and remained active through May 2026, suggesting persistent rather than transient malicious intent. Geographically, the traffic originates from the Philippines within AS17639, operated by Converge ICT Solutions Inc. The detected attack patterns include CiscoASA port-scanning techniques and Suricata stream anomaly alerts indicating broken acknowledgment packets in network traffic.
Port scanning represents a critical reconnaissance phase where threat actors systematically probe target systems to identify open ports and potentially vulnerable services before launching exploitation attempts. When combined with general hacking activity as observed here, this pattern suggests an adversary actively mapping network infrastructure to prepare for unauthorized access or vulnerability exploitation. The CiscoASA-specific scanning signature implies targeting of firewall and security appliance configurations, while the broken acknowledgment packets may indicate stream manipulation attempts designed to disrupt stateful inspection or evade detection by security appliances.
Network operators should immediately consider blocking IP 161.49.212.117 at the firewall level given its elevated threat profile and sustained malicious activity. Deploying automated defensive tools such as fail2ban can detect and respond to repeated scanning patterns in real time. Exposed services should be minimized to reduce attack surface, and administrators should verify that CiscoASA and related security appliances are running current firmware with appropriate detection signatures enabled. Continuous monitoring of honeypot and community abuse reports will help identify if this address adopts new tactics or if related infrastructure emerges.
MU 
MX 
SC 
UA 
RO 
EG