Critical Threat
IP 49.115.217.27 is a critical-risk address assessed at threat level 10/10 that has accumulated 507 abuse reports across automated honeypot sensors, indicating sustained hostile activity originating from a compromised system operating within Chinanet's network in China. The IP's dominant threat profile aligns with an exploited host being weaponised for malicious purposes, with 19 of the most recent reports categorising it as an exploited host and an additional 12 reports documenting general hacking activity.
Analysis of the 507 total reports, sourced from 20 distinct automated honeypot sensors, reveals that this address has been under sustained scrutiny since August 2025 with continued activity logged through May 2026. The network operator is Chinanet (ASN AS4134), a major Chinese telecommunications provider whose address space has historically been associated with both benign scanning traffic and malicious campaigns. The activity frequency score of 5/10 suggests regular, patterned engagement rather than isolated spikes, and the 70% confidence score indicates moderate certainty in attributing all observed activity to a single threat actor or compromised system.
The attack-pattern evidence points specifically to Redis exploitation attempts, corroborated by multiple Suricata alerts documenting stream packets with invalid timestamps — a known technique employed to bypass authentication or exploit unpatched Redis instances. An exploited host classification indicates that the system at this address is almost certainly compromised and operating under an attacker's control without the owner's knowledge, functioning as an unwitting attack platform. This poses a dual risk: the infrastructure itself has been compromised, and it is actively being used to probe external Redis deployments for vulnerabilities, potentially as part of a larger coordinated campaign.
Site operators should block 49.115.217.27 at the network perimeter immediately, and monitor for traffic patterns resembling Redis reconnaissance from adjacent address space within AS4134. Implementing fail2ban or equivalent rate-limiting rules for Redis authentication failures can reduce exposure to automated exploitation attempts. Ensuring Redis instances are not exposed to untrusted networks, enforcing strong authentication, and applying regular security patches will substantially harden targets against the specific attack patterns observed. Operators who identify successful Redis compromises should consider notifying the relevant hosting provider given the exploited host classification of the source address.
KR 
GB 
HK