Maximum Danger
IP 195.178.110.15, registered to Techoff Srv Limited in Bulgaria and operating through ASN AS48090, presents a severe threat profile with a maximum threat-level rating of 10 out of 10, despite a modest 64 percent confidence score in the attribution data. This address has accumulated 485 total abuse reports from automated honeypot sensors over an eight-month window spanning August 2025 through April 2026, with the entirety of recent reporting activity concentrated in the hacking category. The volume of reports is striking when considered against the current activity frequency rating of zero out of 10, suggesting either a notable decline in recent operations or a potential gap between historical incident accumulation and present-day engagement patterns.
The detection profile for this IP reveals a focused attack methodology centered on SSH infrastructure. Honeypot sensors flagged SSH session establishment attempts on expected service ports, indicating systematic reconnaissance and credential-based intrusion probing consistent with brute-force or dictionary-driven authentication attacks. All 485 reports across the entire observation period originated exclusively from automated honeypot deployments rather than community-driven abuse ticket systems, which contributes to the elevated but not absolute confidence score. The absence of reporting diversity—hacking category exclusively, no other threat vectors documented—suggests a deliberately narrow attack surface approach by the operator of this infrastructure.
The concrete risk posed by IP 195.178.110.15 to any exposed SSH service is unauthorized access leading to system compromise, lateral movement potential within internal networks, and subsequent data exfiltration or secondary attack deployment. The confirmed presence of active SSH sessions against honeypot sensors demonstrates persistent targeting of this vector, and the Bulgarian network origin places it within a jurisdiction where such activity has historically been associated with organized intrusion operations. Even with current activity frequency rated at zero, the substantial historical report volume warrants continued vigilance given that threat actors routinely cycle infrastructure through dormant phases before reactivating.
Site operators exposing SSH services should implement immediate defensive controls: enforce key-based authentication exclusively while disabling password authentication at the service level, deploy rate-limiting mechanisms such as fail2ban to automatically block repeated authentication failures from any single source, and ensure all SSH daemons run on non-standard ports where feasible to reduce automated scanning exposure. Continuous monitoring of authentication logs for source IP 195.178.110.15 specifically, combined with automatic blocking rules triggered by suspicious patterns, will provide layered defense against this persistent threat actor.
GB 
TH 
HK 
CZ