Critical Threat
IP address 94.102.49.155, allocated to IP Volume inc under ASN AS202425 in the Netherlands, is a high-risk source of malicious activity with a threat level of 10/10, supported by 829 total abuse reports and a confidence score of 73 percent. The address was first reported in August 2025 and remained active through June 2026, with detection sourced from 20 automated honeypot sensors. Its dominant threat profile centres on general hacking activity, with secondary indicators pointing to exploited-host behaviour and web application attack probes.
The detection data reveals a multi-vector threat pattern consistent with automated compromise infrastructure. Honeypot telemetry captured Redis attack sequences, Suricata alerts flagging non-standard SSH sessions, and ElasticPot web application probes originating from this address. The volume of 829 reports over an approximately eleven-month window, combined with an activity frequency rating of 6/10, indicates sustained and persistent hostile engagement rather than opportunistic scanning. The mix of low-sophistication Redis exploitation attempts alongside targeted SSH session detection suggests the operator deploys commodity attack toolkits alongside more tailored reconnaissance capabilities.
The implications for exposed services are concrete. A host operating exposed Redis instances without authentication or binding restrictions faces direct risk of data exfiltration or server compromise via the observed Redis vectors. SSH services running on non-standard ports are not exempt, as the detected SSH session activity demonstrates that attackers actively probe these configurations. Web application probes targeting application-layer vulnerabilities compound the risk surface for any HTTP-facing assets. An IP with this report volume and consistent activity represents a reliable, repeat threat actor likely operating botnet-orchestrated tooling.
Site operators should treat 94.102.49.155 as a blocking candidate on sight. Enforce strong, unique credentials for all exposed services and disable or restrict Redis access by binding to localhost and applying AUTH requirements. Rate-limit SSH connection attempts using tools such as fail2ban or equivalent mitigations, and ensure all SSH services, regardless of port, are monitored for anomalous session behaviour. Deploy a web application firewall to neutralise probe attempts targeting application-layer vulnerabilities, and audit externally facing assets regularly for exposure. Proactive blocking of this address at the network perimeter will eliminate a confirmed, high-volume threat vector from the environment.
US 
UA 
GB 
CO 
CA 
VN