Severe Risk
IP address 92.118.39.115 is a high-risk US-based address with a threat level of 10/10 that has been linked to sustained SSH brute-force attacks and confirmed exploited-host activity, amassing 161 abuse reports from automated honeypot sensors since August 2025. The combination of credential-guessing aggression, confirmed unauthorized SSH session establishment, and evidence that the host itself has been compromised makes this one of the more credible and dangerous IPs observed in recent threat feeds.
The 161 reports filed against 92.118.39.115 span primarily Hacking (20 reports), SSH (18 reports, including brute-force attempts and active session activity), and Exploited Host (2 reports). All 20 report sources are automated honeypot sensors, indicating the activity was captured through network intrusion-detection systems rather than relying solely on manual community reports. The IP originates from AS47890 operated by Unmanaged Ltd in the United States, and the first report dates to August 2025 with the most recent in March 2026. The activity frequency metric of 0/10 suggests that, while report volume is significant, the IP is not currently radiating attacks at peak intensity — likely because it is already under defensive blocks or has shifted tactics, though it remains a clear and persistent threat.
The dominant threat vector is SSH brute-forcing, a credential-prediction attack that systematically guesses server login credentials to gain unauthorized shell access. The Suricata alerts confirming an active SSH session on an expected port — classified as exploited-host activity — indicate that this IP has already been used successfully to compromise a target, establishing a foothold the operator can leverage for data exfiltration, lateral movement, cryptomining, or further network intrusion. The two exploited-host classifications are particularly concerning because they suggest the attacking infrastructure itself may be partially automated, allowing the operator to scale attacks across many victims simultaneously without continuous manual intervention.
Site operators exposing SSH services should treat 92.118.39.115 as an immediate blocklist candidate: deny inbound connections at the firewall or network edge, and consider adding the address to deny-lists at the load balancer or WAF layer if applicable. Enforce key-based authentication exclusively and disable password-based SSH login entirely to render brute-force attempts ineffective. Tools such as fail2ban or equivalent rate-limiting daemons can automatically ban repeated offenders. Monitor authentication logs for any residual attempts originating from this address and audit any recent successful logins from the surrounding IP range for signs of compromise. Finally, notifying the hosting provider or ASN operator (Unmanaged Ltd via AS47890) supports broader community takedown efforts and may prompt upstream filtering that disables the attack platform entirely.
RO 
UA 
GB