Maximum Danger
IP 80.94.92.171 is a critical-risk address originating from Romania, operated by Unmanaged Ltd under ASN AS47890, that has been linked to 299 abuse reports across automated honeypot sensors over a six-month period, with its activity dominated by sustained SSH brute-force attacks and evidence of active exploited-host behaviour indicating it may be part of a compromised infrastructure being weaponised for lateral movement.
The detection data reveals consistent malicious activity between January and June 2026, with 20 separate honeypot sensors across the network reporting this IP's behaviour. Of the reported threat categories, Hacking activity accounted for the majority of incidents, followed closely by SSH-specific attacks and Exploited Host categorisations. Suricata alert signatures repeatedly identified "SSH session in progress on Expected Port," a pattern that appeared both independently and alongside brute-force attempt descriptions. The presence of multiple reports explicitly tagged as "(exploited)" strongly suggests this address is not merely a benign compromised device but is actively being operated as an attack platform, potentially within a botnet or similar adversarial infrastructure. The high activity frequency score of 8/10 and the volume of reports from numerous independent sensors give the overall assessment an 85% confidence rating.
SSH brute-force attacks represent a well-documented initial-access vector where threat actors systematically attempt to authenticate against exposed SSH services using common or leaked credential combinations. When successful, these attacks grant adversaries persistent shell access to servers, enabling data exfiltration, cryptocurrency mining, pivot attacks against internal network assets, or the recruitment of the compromised host into a botnet. The detection of active SSH sessions on expected ports combined with exploited-host indicators means this IP is not merely probing but has likely already achieved unauthorised access on target systems, elevating the risk from theoretical to immediate and operational.
Organisations exposing SSH services to the internet should treat IP 80.94.92.171 as a confirmed malicious source and block it at the network perimeter firewall or edge gateway. Implementing fail2ban or equivalent dynamic blocking tools that automatically ban source IPs after repeated failed authentication attempts will neutralise automated brute-force campaigns. SSH services should be hardened through key-based authentication exclusively, non-default port configuration, and the explicit disabling of root login. Continuous monitoring of authentication logs for attempts originating from this address, combined with intrusion detection signatures that alert on the observed Suricata patterns, will enable rapid response if any connection attempts slip through perimeter controls.
GB