Extreme Threat
IP 5.101.64.6 is a high-risk address operated by Petersburg Internet Network ltd. in Russia (ASN AS34665) that has accumulated 212 abuse reports since August 2025, with a threat level of 10/10 and an 86 percent confidence score that this IP is engaged in malicious activity.
Automated honeypot sensors registered 20 distinct report sources linking this address to hacking activity, web application probing, and at least one confirmed exploited-host scenario. Suricata alerts tied to this IP include spurious TCP stream retransmissions, broken acknowledgment packets associated with malware or exploit activity, and an application-layer protocol mismatch on both directions — a pattern consistent with automated scanning and vulnerability testing. The detection feed also captured an active SSH session on an unexpected port, indicating either unauthorized access establishment or lateral-movement preparation. With activity spanning from August 2025 through May 2026 and a frequency rated at 5/10, this is not an isolated incident but a sustained campaign targeting exposed services.
The dominant hacking category signals systematic intrusion attempts, including exploitation of vulnerabilities and unauthorized access drives. The web application attack reports point to probing for OWASP-class weaknesses such as remote file inclusion or cross-site scripting entry points. The exploited-host classification is particularly significant: it suggests this IP may be routing through a compromised machine, meaning the apparent source is itself a victim being weaponized. The stream-level anomalies — retransmissions and broken ACKs — are consistent with exploit toolkits and malware command-and-control traffic designed to evade detection by fragmenting or corrupting TCP state.
Site operators should block IP 5.101.64.6 at the firewall or network edge immediately. Deploy or tighten a web application firewall to absorb OWASP Top 10 probing patterns. Enforce strong, non-default SSH credentials and consider restricting SSH access to known source subnets; tools such as fail2ban can dynamically ban repeated connection attempts. Patch exposed services on a predictable schedule and monitor for the Suricata signatures associated with this address — especially unexpected SSH sessions on non-standard ports and stream-state anomalies — as leading indicators of a live intrusion or persistent backdoor presence.
GB 
RO