Critical Threat
IP 176.65.149.30 is a high-risk Netherlands-based address with a threat level of 10/10 that has generated 3,816 abuse reports between September 2025 and June 2026, indicating sustained malicious activity linked primarily to hacking attempts including unauthorized SSH session establishment on non-standard ports.
The IP operates within AS51396 under the network operator Pfcloud UG and has been flagged by automated honeypot sensors on 20 separate occasions for hacking activity, with a confidence score of 92 percent. The high activity frequency score of 8/10 combined with the volume of reports demonstrates persistent scanning and intrusion activity rather than isolated probe attempts. Suricata intrusion detection systems recorded alert signatures matching the pattern of SSH sessions initiated on unusual ports, a known technique employed by threat actors to evade standard port-based filtering and authentication controls. The geographic location in the Netherlands and the commercial hosting provider context suggest this infrastructure is likely provisioned specifically for offensive operations rather than representing a compromised end-user device.
Hacking activity encompasses a broad spectrum of unauthorized access attempts, vulnerability exploitation and intrusion operations, with the observed SSH anomaly pattern indicating the operator is likely conducting credential brute-forcing or attempting to establish persistent footholds on exposed servers through non-standard service ports. The sustained reporting period spanning approximately nine months confirms this is not opportunistic scanning but rather a deliberate, automated campaign likely distributed across multiple target networks simultaneously.
Network defenders should implement fail2ban or equivalent connection-throttling mechanisms to automatically block repeated authentication failures originating from this address. Exposed SSH services should be restricted to known IP ranges via firewall rules, with key-based authentication enforced and password authentication disabled entirely. Continuous monitoring of Suricata and similar IDS alerts targeting unusual SSH port behavior will help identify any successful intrusion attempts. Organizations running publicly accessible services should review authentication logs for any matching source IP activity and ensure all systems remain patched against known vulnerabilities exploited in similar campaigns.
SE 
IR 
HK 
UA