Extreme Threat
IP 65.49.1.222 is a critical-risk address with a threat level of 10/10 that has generated 423 abuse reports across automated honeypot sensors since August 2025, indicating sustained malicious activity originating from a US-based network operator. The IP's dominant threat profile centres on general hacking intrusions, with evidence of connection attempts targeting exposed services and anomalous encrypted traffic patterns consistent with exploitation activity.
The volume and consistency of reporting paint a concerning picture: 20 separate honeypot sensors detected this address over approximately ten months, with an activity frequency rating of 8/10. The dual classification as both a Hacking source (19 reports) and an Exploited Host (1 report) suggests the address may be operating as part of a broader attack infrastructure, with honeypot detections specifically noting Redis service targeting, generic attack connections, and Suricata alerts flagging malformed TLS records. The 85% confidence score reflects strong consensus across detection sources that this activity is intentional and malicious rather than misconfiguration or benign scanning. Operating within Hurricane Electric's AS6939 backbone, this IP traverses a major US internet exchange point, giving it favourable routing toward potential targets worldwide.
The Hacking classification for this address indicates active exploitation attempts against vulnerable services, while the presence of Redis-specific attack patterns suggests the operator is systematically probing for misconfigured in-memory data stores that may expose sensitive information or enable command execution. The malformed TLS traffic detected could indicate reconnaissance attempts to identify weaknesses in encrypted communication handshakes or testing of client-side vulnerabilities. When combined with the Exploited Host flag, these patterns suggest the address may serve as a source for distributed scanning operations or as part of a compromised infrastructure being rented for hostile activity.
Site operators should immediately block IP 65.49.1.222 at the firewall or network edge to eliminate this threat vector entirely. Implementing fail2ban or equivalent dynamic blocking tools can automate this process for repeated offenders. Ensuring Redis and other database services are not exposed to untrusted networks, enforcing strong authentication, and applying network segmentation significantly reduce the attack surface these probes target. Continuous monitoring of authentication logs for brute-force patterns and keeping all exposed services patched against known vulnerabilities will further harden defences against similar reconnaissance and exploitation activity.
GB 
RO 
AU