Maximum Danger
IP 91.239.216.9 is a maximum-risk address linked to exploited host activity, representing a compromised system being weaponized for further attacks with 291 abuse reports filed through automated honeypot sensors over a two-month window between November and December 2025. The German-hosted address carries a threat level of 10/10, indicating confirmed malicious engagement, though the moderate confidence score of 76% suggests some uncertainty in attribution. The dominant threat classification of Exploited Host signals that this endpoint has been taken over by threat actors and is operating under their control without the legitimate operator's awareness, with recent reporting activity confirming ongoing abuse.
Automated honeypot sensors generated the full corpus of 291 reports across 20 distinct detection points, placing this address squarely within a high-volume abuse pattern. The IP operates within AS215224, managed by NovoServe B.V., a hosting provider whose infrastructure may require notification of the compromise. Geographic placement in Germany situates this host within European network jurisdiction, though the exploited status transcends national boundaries as the system functions as an attacker asset. The reported timeframe spans November through December 2025, indicating sustained malicious use rather than a transient probe. The activity frequency metric of 0/10 suggests that while the historical report volume is substantial, the most recent observable engagement may have tapered, yet the confirmed exploited host classification means the system remains dangerous if reactivated.
An Exploited Host designation indicates that malicious actors have gained unauthorized control over this endpoint, transforming it into an instrument for conducting outbound attacks against other targets across the internet. Such systems typically run botnet malware, proxy tools, or attack scripts that execute commands from a command-and-control infrastructure without the owner's knowledge. The real-world risk stems from this address potentially launching scanning campaigns, credential stuffing attempts, distributed denial-of-service traffic, or serving as a pivot point to obscure attacker origins. Organizations exposing services to the internet face direct exposure to whatever malicious payloads this compromised host is configured to deliver, making timely blocking essential for network perimeter defence.
NL 
VG 
PL 
AE 
MX 
CA 
UA 
UZ 
RO 
GB 
BD