Critical Threat
IP 91.92.241.148, registered in Bulgaria and operated by Neterra Ltd, presents a severe threat profile with a maximum threat level of 10/10 based on 7,812 total abuse reports, primarily involving SSH brute-force intrusion attempts detected across 20 automated honeypot sensors. While activity frequency has dropped to zero in recent intervals, the sheer volume of historical reports establishes this address as a confirmed, persistent attack platform that has systematically targeted SSH services over a six-month period from September 2025 through March 2026.
The detection data reveals consistent engagement in brute-force authentication attacks against exposed SSH daemons, with Suricata signatures confirming active session establishment attempts on expected ports. The 7,812 reports span three distinct but related threat categories: general hacking activity at 19 reports, SSH-specific attacks at 18 reports, and two instances flagged as exploited host behaviour, suggesting this infrastructure may itself have been leveraged to compromise additional systems. The 60% confidence score reflects some uncertainty in attribution, yet the pattern of automated honeypot detections consistently points to credential-guessing campaigns rather than isolated scanning.
SSH brute-force activity represents one of the most prevalent and effective attack vectors targeting internet-exposed Linux servers and network devices. Attackers leverage automated tooling to cycle through credential combinations, exploiting weak or default passwords to gain unauthenticated access. Successful compromise grants attackers root-level control, enabling data exfiltration, malware deployment, lateral movement within networks, or recruitment into botnets. Even failed attempts consume server resources, create auth logs, and indicate an active threat actor probing defences.
Administrators running publicly accessible SSH services should immediately implement defensive controls: enforce key-based authentication exclusively, relocate the service to a non-standard port, apply fail2ban or equivalent tools to dynamically block repeated authentication failures, and disable direct root login. Given the volume of reports associated with this IP, blocking 91.92.241.148 at the network perimeter is strongly recommended, and organizations observing connections from this address should treat them as confirmed hostile probes warranting immediate investigation and blocking.
TR 
CO 
UA 
VN 
CA 
RO 
TH 
GB