Is IP address 85.11.167.3 dangerous?

Yes, 85.11.167.3 is considered dangerous with a threat level of 10/10. It has been reported 415 times for malicious activities including . We recommend blocking this IP address.

Who owns or operates IP address 85.11.167.3?

IP address 85.11.167.3 is operated by Sofcompany (ASN 0) and is geolocated to BG. This information is derived from public WHOIS and geolocation databases.

Should I block IP address 85.11.167.3?

Yes, blocking 85.11.167.3 is strongly recommended. With a threat level of 10/10 and 415 security reports, this IP poses significant risk. Implement firewall rules to block incoming and outgoing traffic.

How accurate is this threat assessment for 85.11.167.3?

Our threat assessment for 85.11.167.3 has a confidence score of 64%, based on 415 independent reports from multiple independent sources. Higher confidence scores indicate more reliable assessments.

IP Address

85.11.167.3

IPv4 Public

Sofcompany

415 Reports

BG Location

Sofcompany ISP

415 Reports

Mixed Data Source

Critical Threat

IP 85.11.167.3 is a critical-risk address originating from Bulgaria, operated by Sofcompany, that has been linked to 415 abuse reports across 20 distinct detection sources since November 2025, with the overwhelming majority of hostile activity targeting WordPress installations through coordinated reconnaissance and exploitation attempts.

The compiled evidence shows a concentrated threat profile where automated honeypot sensors and community reports converge on WordPress-specific attack vectors. Of the 415 total reports, the most prevalent categories include general hacking activity (11 reports), WordPress login brute-force attempts (8), user enumeration via author parameter probing (7), configuration file scanning (5), unauthorized cron execution (3), distributed denial-of-service activity (3), and web application reconnaissance (1). Detection logs document pattern sequences including repeated author parameter enumeration against WordPress endpoints, backup-related query parameter scanning, and configuration file exposure attempts consistent with targeted exploitation campaigns. The 20 reporting sources include 9 automated honeypot sensors and 11 community submissions, providing moderate confidence in the assessment despite the high volume of reports.

The dominant threat pattern reflects a systematic WordPress reconnaissance and compromise campaign rather than opportunistic scanning. Attackers leveraging author parameter enumeration attempt to discover valid usernames by iterating through sequential IDs, which then enables targeted brute-force attacks against known accounts. Configuration file scanning searches for exposed backups or sensitive files that may contain database credentials or encryption keys. Unauthorized cron execution attempts can abuse legitimate scheduled tasks to inject malicious payloads or extract data. Together, these techniques form a staged attack chain designed to progressively escalate privileges and maintain persistent access to WordPress-powered websites.

Site operators running WordPress should implement fail2ban or equivalent intrusion prevention rules configured to detect and block WordPress-specific attack patterns, including author enumeration and config file access attempts. Restricting XML-RPC and wp-cron access to authorized sources, enforcing strong authentication with two-factor authentication, and monitoring access logs for the query parameter patterns documented in honeypot events will significantly reduce exposure. Blocking or rate-limiting traffic from Bulgarian IP ranges at the network perimeter provides additional defense-in-depth where traffic patterns justify such measures.

More threatening than 91% of monitored IPs

Threat Categories

Hacking 19

WP Login Brute Force 10

WP User Enumeration 8

WP Config Exposure 5

DDoS Attack 3

WP Cron Abuse 3

Technical Details

General hacking activity includes various intrusion attempts, exploitation of vulnerabilities, and unauthorized access attempts.

Recommended Mitigations

Keep systems patched, implement intrusion detection, and follow security best practices.

Reputable Network

This IP is hosted on a network (ASN 0) with generally good reputation. The ISP Sofcompany maintains standard security practices.

The malicious activity may represent an isolated compromised system rather than systematic abuse.

Security Recommendations

Continue monitoring for emerging patterns.

Reputation Summary

Threat Level 10/10 Critical

Critical

Activity Frequency 0/10 Inactive

Confidence Score 64% High Confidence

Confidence History

6. Dec 2025 - 16. Feb 2026

64% Current

Stable Trend

Date	Categories	Source	Confidence
16. Feb 2026	WP Login Brute Force	Honeypot	75%
9. Feb 2026	Hacking Web App Attack	Honeypot x3	75%
8. Feb 2026	WP Login Brute Force	Honeypot	75%
8. Feb 2026	WP Cron Abuse DDoS Attack WP Config Exposure +2	Community x5	75%
31. Jan 2026	WP Login Brute Force	Honeypot	75%
30. Jan 2026	WP Cron Abuse DDoS Attack WP Config Exposure +2	Community x5	75%
30. Jan 2026	WP Login Brute Force	Honeypot	75%
24. Jan 2026	WP Login Brute Force	Honeypot	75%
22. Jan 2026	WP Login Brute Force	Honeypot	75%
22. Jan 2026	WP Config Exposure Hacking	Community	75%
22. Jan 2026	Hacking WP Config Exposure	Community	75%
22. Jan 2026	WP User Enumeration Hacking	Community	75%
22. Jan 2026	WP Config Exposure Hacking	Community	75%
22. Jan 2026	WP Cron Abuse DDoS Attack	Community	75%
21. Jan 2026	WP Login Brute Force	Honeypot	75%
21. Jan 2026	WP Login Brute Force	Honeypot	75%
18. Jan 2026	WP User Enumeration Hacking	Community	75%
18. Jan 2026	WP User Enumeration Hacking	Community	75%
18. Jan 2026	WP User Enumeration Hacking	Community	75%
18. Jan 2026	WP User Enumeration Hacking	Community	75%
18. Jan 2026	WP User Enumeration Hacking	Community	75%
18. Jan 2026	WP Login Brute Force	Honeypot	75%
18. Jan 2026	WP Login Brute Force	Honeypot	75%
6. Dec 2025	Hacking	Honeypot	75%
6. Dec 2025	Hacking	Honeypot	75%
6. Dec 2025	Hacking	Honeypot	75%
6. Dec 2025	Hacking	Honeypot	75%
6. Dec 2025	Hacking	Honeypot	75%
6. Dec 2025	Hacking	Honeypot	75%
6. Dec 2025	Hacking	Honeypot	75%

Basic Information

IP Address: 85.11.167.3
IP Version: IPv4
Network Type: Public
Tor Network: No
Network Class: Class A

Geolocation

Country: BG
ASN: Unknown
ISP: Sofcompany

DNS Information

Reverse DNS: None
PTR Record: No
Connection Type: Static

Statistics

Total Reports: 415
First Reported: 9 Nov 2025
Last Reported: 16 Feb 2026, 23:53

Comparative Analysis

How this IP compares to others in our threat intelligence database

91 %

Global Threat Ranking

This IP is more threatening than 91% of all IPs in our database.

Top 10% Most Dangerous

Global Comparison

Compared against 198,727 reported IPs worldwide

Threat Level 10/10 avg: 5.3 ++

Total Reports 415 avg: 23 ++

Geographic Comparison

Compared against 704 IPs in BG

Threat Level 10/10 country avg: 6.6 ++

Total Reports 415 country avg: 105 ++

Daily report activity over the last 30 days showing patterns and peaks.

Peak Day 0 reports

Daily Average 0 reports/day

Most Active Saturday 107 reports

Evolution of threat level over time based on reported categories and frequency.

Initial Threat 6/10

Current Threat 6/10

Distribution of threat categories reported over time.

Top Threat Categories

Hacking 381

Exploited Host 23

WP Login Brute Force 10

WP User Enumeration 8

WP Config Exposure 5

Activity patterns showing when this IP is most active during the day and week.

Hourly Activity

Peak activity at 20:00 with 43 reports

Weekly Activity

Geographic Threat Distribution

186,492 threat incidents tracked globally • Last 24h: 18,626 Logs

FEED

Top Threat Sources

01

United States US

38,327 20.6%
02

India IN

28,856 15.5%
03

China CN

25,964 13.9%
04

Brazil BR

10,206 5.5%
05

Germany DE

7,130 3.8%
06

Singapore SG

6,453 3.5%
07

Indonesia ID

5,496 2.9%
08

Russia RU

4,694 2.5%
09

Pakistan PK

4,633 2.5%
10

Netherlands NL

4,351 2.3%

+40 more countries

THREAT LEVEL

LOW MED HIGH

IPs from the same subnet range, likely same network segment.

20 Related IPs

8.1/10 Avg Threat

71% Avg Confidence

17 High Threat

High-risk network: Majority of related IPs are flagged

Critical Threat

Threat Categories

Technical Details

Recommended Mitigations

Reputable Network

Security Recommendations

Basic Information

Geolocation

DNS Information

Statistics

Global Threat Ranking

Top Threat Categories

Hourly Activity

Weekly Activity

FEED

Top Threat Sources

JSON Report

Firewall Rules

iptables / netfilter

UFW (Ubuntu)

Windows Firewall

Cloudflare

nginx

Apache .htaccess

PDF Report

Analyzed high-risk IP addresses

reportedIP

Parkstraße 19, 80339 München

Consultation

+49-89-215505888

Report a IP

[email protected]