Extreme Threat
IP address 161.132.50.196, registered to Red Cientifica Peruana and operating within ASN AS3132, presents a severe threat level with a maximum risk score of 10 out of 10, driven by 921 independent abuse reports submitted through 20 automated honeypot sensors during November 2025 alone. This concentration of malicious activity within a compressed one-month reporting window signals an aggressive and sustained campaign rather than isolated probe attempts.
The dataset reveals that all reports were generated between November 2025 first appearances and the same month's last observations, with the overwhelming majority categorised as general hacking activity (18 incidents) alongside targeted SSH intrusion attempts (2 incidents). The honeypot detections specifically captured SSH brute-force patterns and associated command-input activity, indicating repeated attempts to authenticate against exposed SSH services using credential-guessing techniques. The 69% confidence score reflects some uncertainty in attributing all activity to a single threat actor, yet the sheer volume of reports from multiple independent sensors substantially corroborates the hostile nature of this address.
SSH brute-force activity represents one of the most prevalent initial-access vectors observed across internet-facing infrastructure, where automated tools cycle through common username-password combinations to compromise servers running default or weak SSH configurations. The real-world risk extends beyond temporary service disruption; successful authentication grants attackers persistent foothold for data exfiltration, cryptocurrency mining deployment, lateral movement into internal networks, or incorporation into botnets. Even failed brute-force attempts generate significant log noise that can obscure genuine security incidents and consume server resources.
Operators maintaining publicly accessible SSH services should immediately audit authentication configurations, enforcing key-based authentication exclusively while disabling password-based login entirely. Implementing fail2ban or equivalent dynamic blocking tools provides an automated response layer against repeated connection attempts from hostile sources. Additionally, relocating the SSH daemon to a non-standard port reduces automated target selection, and restricting root login eliminates a high-value authentication target. Continuous monitoring of authentication logs for patterns matching the observed brute-force signatures will enable rapid identification of any renewed activity from this or related addresses.
FR 
CH 
GB 
HK 
PH