Elevated Risk
IP 207.90.244.20 is a high-risk address associated with sustained hacking activity, with a threat level of 8/10 and nearly 20,000 cumulative abuse reports logged over approximately nine months of active detection. This IP represents a significant and persistent threat to any exposed network services and warrants immediate blocking consideration for organizations seeing suspicious inbound connections.
The address originates from a United States network operated by COGENT-174 (AS174), a major upstream internet backbone provider. Automated honeypot sensors distributed across multiple detection points logged a total of 19,659 reports, with all 20 most recent reports categorizing the activity as general hacking attempts encompassing intrusion attempts, vulnerability exploitation, and unauthorized access attempts. The IP was first reported in September 2025 and remained active through June 2026, indicating a continuous and determined campaign rather than opportunistic scanning. The confidence score of 78% reflects strong consensus across detection sources despite the generalized categorization of the activity.
The dominant threat category of hacking represents automated exploitation attempts against internet-facing services, which can include port scanning, credential stuffing, brute-force authentication attacks, and probing for known vulnerable configurations. The sheer volume of reports at this IP address suggests it is part of an active scanning or exploitation infrastructure, likely deployed within a botnet or as a commercial scanning service. For an organization with SSH, RDP, web applications, or other exposed services, this IP poses a concrete risk of unauthorized access attempts and potential compromise if vulnerable configurations are present.
Site operators should block IP 207.90.244.20 at the firewall or network edge to eliminate this source of malicious traffic entirely. Implementing strict rate-limiting on authentication endpoints and using tools such as fail2ban to automatically block repeated login failures will reduce the effectiveness of any subsequent attempts. Keeping all internet-facing systems fully patched and following principle-of-least-privilege access controls limits the impact of any successful intrusion. Continuous monitoring of authentication logs for patterns associated with this IP will help detect whether the blocking measures are functioning and whether the threat actor is attempting to reach the network through alternative addresses.
CA 
AT 
FR 
MA 
GB 
UA