Maximum Danger
IP 91.196.152.88 is a high-risk address associated with sustained hacking activity and web application probing, with a threat level of 10 out of 10 and 1,948 total abuse reports from automated honeypot sensors. This French IP address, operated by ONYPHE SAS under ASN AS213412, represents one of the most actively reported sources of intrusion attempts in recent network telemetry, with an activity frequency rated 6 out of 10, indicating persistent rather than sporadic engagement.
The data compiled from 20 independent honeypot sensors documents a clear pattern of malicious behavior spanning from August 2025 through May 2026, with the majority of reports (19 incidents) classified under general hacking activity and a smaller subset (1 incident) specifically tied to web application attacks. The volume of reports—nearly two thousand in aggregate—far exceeds typical background noise levels seen across internet-facing infrastructure, and the confidence score of 69% reflects a substantial probability that this traffic represents deliberate hostile activity rather than misconfiguration or benign scanning. The detection footprint across multiple independent sensors corroborates that this is not an isolated observation but a sustained, multi-vector threat observable across diverse network environments.
The dominant hacking classification encompasses a broad spectrum of intrusion techniques, including vulnerability exploitation attempts, unauthorized access probes, and exploitation of misconfigured services. The web application attack component suggests the operator is actively scanning for weaknesses in HTTP-based services, potentially targeting common coding flaws such as injection vulnerabilities, authentication bypass, or insecure direct object references. The abstract attack-pattern data noting "web app/probe" activity confirms targeted reconnaissance against exposed applications, which often precedes more sophisticated exploitation stages. For organizations running publicly accessible web services, SSH daemons, or API endpoints, this IP poses a concrete risk of credential stuffing, brute-force attempts, or exploitation of unpatched software.
Site operators should immediately block 91.196.152.88 at the network perimeter firewall or intrusion prevention system to eliminate contact with this source. Implementing fail2ban or equivalent dynamic firewall rules on exposed SSH and web service ports will automatically ban repeated connection attempts matching hostile signatures. Enforcing key-based authentication for administrative access, deploying a web application firewall with updated rule sets, and ensuring all internet-facing software maintains current security patches significantly reduces the attack surface that this IP targets. Continuous monitoring of authentication logs for source IPs exhibiting elevated failure rates and geographic anomalies will enable rapid identification of similar hostile traffic patterns originating from other addresses.
US 
PE 
CH 
GB 
HK 
PH