Severe Risk
IP 27.254.137.199 is a critical-risk address assessed at 10/10 threat level, classified as an exploited host with 177 total abuse reports spanning September to November 2025. This Thai IP address represents a compromised system that has been weaponized as an active attack platform, posing severe risk to any exposed network services it targets.
Automated honeypot sensors and community reports recorded 20 distinct exploited-host detections against this address, with activity concentrated over a three-month window. The IP originates from AS9891 operated by CS LOXINFO Public Company Limited in Thailand, a major regional hosting and internet service provider. Despite a 70% confidence score, the sheer volume of reports combined with consistent honeypot detection indicates persistent malicious utilization of this compromised infrastructure. The Redis attack pattern identified in the sanitized evidence logs confirms that threat actors are leveraging this exploited host to conduct targeted database-level intrusions against vulnerable services.
As an exploited host, IP 27.254.137.199 operates under the control of external threat actors who have successfully compromised the original system without the owner's knowledge. The Redis attack vector suggests automated exploitation attempts against improperly configured Redis deployments, where attackers can execute arbitrary commands or exfiltrate sensitive data from cached storage. This activity pattern indicates the compromised system is functioning as a relay node for further attacks, meaning blocking this address alone will not resolve the underlying vulnerability on the exploited machine itself.
Site operators should immediately block IP 27.254.137.199 at the network perimeter and consider implementing fail2ban or similar intrusion-prevention tools to automatically mitigate repeated attack patterns. Redis deployments should be hardened by binding to localhost, enforcing authentication with strong passwords, and disabling dangerous commands. Continuous traffic monitoring for Redis exploitation signatures and rate-limiting incoming connections from high-risk geographic regions will reduce exposure. Organizations receiving attacks from this address should also consider notifying the hosting provider to facilitate remediation of the compromised system.
KR 
GB 
HK