Extreme Threat
IP 80.94.95.15 is a maximum-risk address originating from Romania, operated through SS-Net under ASN AS204428, that has accumulated 29,208 abuse reports within a concentrated two-month window between August and September 2025, indicating a sustained and aggressive automated attack campaign primarily targeting Secure Shell services.
Detection data gathered from 20 independent automated honeypot sensors confirms that this address is responsible for systematic intrusion attempts, with the majority of recent reports categorizing the activity as general hacking operations (16 incidents) and SSH-specific brute-force attempts (4 incidents). The sheer volume of reports relative to the brief reporting period suggests this IP operates as part of an automated botnet or scanning infrastructure rather than isolated manual probing. Despite a modest 61% confidence score, the repeat detection across multiple independent sensors substantiates the reliability of the threat assessment. The geographic attribution to Romania and the involvement of SS-Net provides network-level context for blocking decisions at firewall and border router levels.
SSH brute-force attacks represent one of the most prevalent initial-access vectors in internet-facing server compromise. Attackers systematically iterate through credential combinations against exposed SSH daemons, exploiting weak or default passwords to gain unauthorized shell access. Once inside a target network, threat actors leverage compromised servers for lateral movement, data exfiltration, cryptomining deployment, or use the foothold as a relay for further attacks. The automated nature of these campaigns means that any publicly accessible SSH service with standard authentication will be scanned and attacked within hours of exposure, often continuously across multiple source addresses in coordinated campaigns.
Site operators with internet-facing SSH services should treat connections from this address as definitively hostile. Implementing automated blocking through security tools such as fail2ban or similar intrusion-prevention systems that dynamically ban repeat offenders after failed authentication thresholds provides effective protection against credential-guessing attempts. Administrations should further harden SSH access by enforcing key-based authentication exclusively, disabling root login, and relocating the service to a non-standard port. Continuous monitoring of authentication logs for source addresses matching this pattern, combined with network-level null routing or firewall blocklists, will eliminate the risk of successful intrusion from this confirmed threat source.
JP 
HK 
GB