High Risk
IP 103.61.123.221, allocated to VIETNAM POSTS AND TELECOMMUNICATIONS GROUP in Vietnam (ASN AS135905), is a high-risk address associated with 337 total abuse reports and a threat level of 8/10, presenting a clear and ongoing danger to exposed network services worldwide.
Threat intelligence data shows 337 independent reports against this IP address, with an exceptionally high confidence score of 99% and an activity frequency rating of 8/10. The hostile activity was first detected and most recently reported in February 2026, indicating concentrated, deliberate targeting behavior over a short timeframe. Automated honeypot sensors generated 19 of these reports while community sources contributed one additional report, confirming the malicious activity through multiple independent detection channels. The dominant threat vector by volume is SSH-based attacks, supplemented by isolated instances of automated web vulnerability scanning and general hacking probes. Log analysis reveals that honeypot sensors captured automated scanners repeatedly probing for sensitive configuration files including environment variable files, a classic reconnaissance pattern used to harvest credentials and application secrets.
The primary threat category associated with IP 103.61.123.221 is SSH brute-force activity, which attempts to gain unauthorized server access through systematic password guessing or exploitation of misconfigured SSH services. This attack vector poses a direct and severe risk to any internet-facing Linux or Unix servers running exposed SSH daemons, potentially resulting in complete server compromise, data exfiltration, or use of the compromised host as a pivot point for further network intrusion. The secondary vulnerability-scanning behavior targeting application configuration files represents a complementary reconnaissance effort designed to identify application-level weaknesses that could facilitate deeper system access beyond the initial SSH intrusion attempts.
Site operators should immediately block or rate-limit traffic from this IP address at the network perimeter firewall level and implement automated blocking tools such as fail2ban to dynamically ban sources generating repeated authentication failures against SSH services. SSH daemons should be hardened by disabling root login, implementing key-based authentication exclusively, and changing the default listening port to reduce automated targeting. Web application firewalls should be configured to detect and block automated scanners probing for sensitive configuration paths, and application directories containing environment files should never be served by production web servers. Continuous monitoring of authentication logs and implementation of intrusion detection systems will provide early warning of ongoing or future intrusion attempts from this or related threat actors.
ES 
NP 
KR 
ET 
GB 
FR