Critical Alert
IP address 172.190.142.176 is a critical-risk address with a threat-level score of 10/10, operating from Microsoft's AS8075 network in the United States and exhibiting a sustained, high-frequency pattern of web-application credential attacks spanning August 2025 through May 2026.
Automated honeypot sensors filed a combined 414 reports attributing this IP to malicious activity, with 20 distinct reporting nodes contributing data over the nine-month observation window. The dominant threat profile consists of WordPress login brute-force attempts and WordPress admin panel brute-force attacks, together accounting for the overwhelming majority of recent reports. Supplemental detections include general web-app probing and brute-force activity. Fail2ban telemetry from exposed servers reveals a layered attack pattern: repeated Drupal admin probe sequences (20 violations per event cycle) interleaved with escalating WordPress escalation campaigns (50 and 58 violations in successive events) and at least one recidive-stage detection marking a multi-jail offender, indicating the source continued attempting access after initial blocks.
The concentration on WordPress admin interfaces and Drupal administrative paths signals a coordinated credential-stuffing and admin-panel enumeration campaign targeting two of the most widely deployed content-management platforms on the internet. A successful brute-force against a WordPress admin account grants attackers site-wide control, enabling malware deployment, data exfiltration, and further network pivoting. The simultaneous Drupal probing demonstrates the campaign is broad in scope, attempting to compromise multiple platform types rather than a single application target.
Site operators running WordPress or Drupal instances should block this address at the firewall or load-balancer level immediately. Enforcing strong, unique admin passwords alongside two-factor authentication for all administrative interfaces substantially raises the cost of a successful credential attack. Implementing fail2ban or equivalent intrusion-prevention tools with strict retry thresholds and temporary ban durations will auto-block repeated login failures. Deploying a web application firewall rule set that rate-limits login and admin-path requests per source IP adds a further mitigation layer against the observed multi-vector enumeration pattern. Continuous monitoring of authentication logs for the signature sequences described above will enable rapid identification of follow-up or reassigned source addresses.
NL 
AU 
JP 
IE 
HK 
SE 
CA 
RO 
PL