Severe Risk
IP 36.156.22.4 is a critical-risk address originating from China on the China Mobile communications corporation network (AS56046), assessed at a threat level of 10/10 based on 157 total abuse reports, with automated honeypot sensors flagging repeated intrusion and unauthorized access attempts over an approximately six-month reporting window from August 2025 through February 2026.
Analysis of the submitted data reveals that all 20 categorized reports during this period were classified under general hacking activity, encompassing intrusion attempts, exploitation attempts targeting exposed services, and unauthorized access probes. Despite the high volume of reports, the activity frequency metric of 0/10 suggests that observed malicious behavior was concentrated in specific incident bursts rather than representing a continuous, sustained campaign. The 61% confidence score indicates that while the hostile intent is well-supported by sensor data, some attributional uncertainty remains regarding the ultimate source or actor behind these attempts. The geographic and network context — a major Chinese mobile carrier — places this address within one of the world's largest telecommunications networks, where residential and mobile subscriber address space may be leveraged as stepping points or for distributed scanning operations.
The dominant threat category, hacking activity, represents the most concrete risk to exposed services. Intrusion attempts targeting open ports, weak authentication mechanisms, or known software vulnerabilities can result in unauthorized system access, data exfiltration, or lateral movement within a network. Even a single successful breach can compromise sensitive information or provide a foothold for further exploitation. The pattern described as "attack connection" further indicates active TCP/IP-level probing consistent with initial reconnaissance or vulnerability scanning phases of an attack chain.
Site operators encountering this IP in logs should treat it as hostile and apply immediate defensive controls. Implementing automatic blocking or rate-limiting via network security tools such as fail2ban or firewall rules based on abuse report thresholds provides an effective first layer of defense. Exposed services — particularly SSH, RDP, FTP, and web interfaces — should enforce strong, unique credentials and multi-factor authentication where feasible. Regularly auditing open ports and applying security patches eliminates the entry points these automated scanners target. Continuous log monitoring for repeated connection attempts from this address will help identify any evolving tactics and support timely threat hunting responses.
RO 
JP 
HK 
GB