Critical Alert
IP 107.173.112.54 is a critical-risk address operating from a United States-based hosting infrastructure with a threat level of 10/10 and a 94% confidence score, linked to sustained hacking activity detected across 20 automated honeypot sensors over approximately three months in early 2026. With 550 total abuse reports and an activity frequency rated 8/10, this IP demonstrates persistent, high-volume malicious behavior that poses a significant danger to any exposed network services.
The address traces to HostPapa under ASN AS36352, a web hosting provider whose infrastructure has been associated with abusive activity in threat-intelligence databases. The IP was first reported in March 2026 and remained active through May 2026, indicating a sustained campaign rather than a transient probe. Detection data shows the dominant threat category is general hacking activity, specifically manifesting as TCP stream manipulation patterns detected by intrusion-detection sensors. The Suricata alert signature "SURICATA STREAM spurious retransmission" points to anomalies in TCP session handling, a technique frequently employed during reconnaissance phases, session hijacking attempts, or exploitation of vulnerable services. The 550 aggregate reports across honeypot infrastructure confirm this is not an isolated incident but rather systematic, automated offensive operations.
The spurious retransmission behavior suggests the actor is manipulating TCP streams to probe firewall rule effectiveness, evade detection, or establish foothold conditions for subsequent exploitation stages. Combined with the "hacking activity" classification, this pattern indicates the IP is likely running automated exploitation toolkits or scanners targeting vulnerable services on random internet-facing hosts. The volume of reports confirms these are not manual probes but coordinated, high-frequency attacks designed to cast a wide net across potential victims.
Network defenders should immediately block or rate-limit traffic from this IP at the firewall level and monitor logs for any associated scanning behavior targeting own infrastructure. Implementing automated blocking via security tools such as fail2ban can dynamically respond to repeated connection attempts. Exposed services should be audited for unnecessary open ports and patched against known vulnerabilities. Enabling strict TCP stateful packet inspection and configuring intrusion-detection systems to alert on anomalous stream behavior will further reduce exposure to this threat vector.
RO 
FR 
SE 
TR