Extreme Threat
IP 181.115.147.5, registered to EMPRESA NACIONAL DE TELECOMUNICACIONES SOCIEDAD ANONIMA in Bolivia and operating on ASN AS6568, presents a maximum threat level of 10/10 and is definitively associated with persistent SSH brute-force attack campaigns. With 180 independent abuse reports across a seven-month window spanning November 2025 through May 2026, this address represents one of the most consistently reported sources of credential-compromise activity observed in recent regional threat telemetry. A confidence score of 81% grounds this assessment in substantial forensic data, while 20 separate automated honeypot sensor sources across the community have independently flagged this IP, confirming that the activity is neither isolated nor accidental.
The overwhelming majority of reports — 18 of the 24 categorized incidents — document SSH brute-force attempts, with additional activity classified as general hacking intrusion probes (4 reports) and confirmed exploited-host behaviour (2 reports). Sensor logs recorded multiple Fail2ban triggers across different observation windows, documenting 25, 30 and 10 individual SSH brute-force violations respectively, indicating sustained and repeated access attempts rather than opportunistic scanning. The detection timeline reveals continuous engagement over roughly half a year, placing the activity frequency at 4/10, which reflects persistent rather than sporadic behaviour. The presence of exploited-host indicators alongside active attack signatures suggests that the originating system may itself be compromised and operating under an external actor's control, compounding the threat profile.
SSH brute-force attacks systematically cycle through username and password combinations to guess server credentials, exploiting weak or default passwords to gain unauthenticated shell access to exposed Linux and network infrastructure. Successful compromise grants an attacker a fully privileged entry point into the target environment, enabling data exfiltration, lateral movement across internal networks, cryptomining deployment or further exploitation as a relay node. The repeated Fail2ban violations logged against this IP confirm that it is operating at volume against live SSH services, and the Suricata session-progress alerts indicate that connections are being maintained long enough to suggest active authentication attempts rather than simple port scanning. For any organisation exposing SSH to the internet, this IP represents a concrete, active credential-guessing threat requiring immediate defensive action.
CH 
RO 
BG 
CA 
UA