Critical Threat
IP 202.189.224.58 is a critical-risk address originating from India that has been classified as an exploited host in 20 distinct honeypot detections, indicating this machine has been compromised and is actively being weaponised by threat actors without its owner's knowledge. With 239 total abuse reports logged between August 2025 and March 2026, this IP presents a severe and persistent threat to any exposed network infrastructure.
The detection data stems exclusively from 20 automated honeypot sensors, which captured evidence of malware and exploit activity including Suricata alerts flagging potentially unsafe SMBv1 protocol usage. The IP is registered to Tata Teleservices Maharashtra Ltd operating on ASN AS17762 within Indian address space. Despite the high volume of historical reports, the activity frequency metric reads at zero out of ten, suggesting the most aggressive attack campaigns may have subsided or shifted to alternative infrastructure. The classification confidence of 59 percent indicates some uncertainty in attribution, though the concentration of exploited host reports strongly supports the conclusion that this address is compromised rather than operator-controlled.
An exploited host classification is particularly dangerous because the machine functions as a unwitting proxy for malicious activity, meaning the origin operator has no awareness of or control over the attacks emanating from their infrastructure. SMBv1 protocol activity is especially concerning given its well-documented vulnerabilities to remote code execution, historically exploited in large-scale ransomware and worm campaigns. The dual presence of malware activity and hacking indicators suggests the compromised system may be running multiple malicious payloads simultaneously, potentially forming part of a botnet or being used for lateral movement operations against additional targets.
Site operators should immediately block IP 202.189.224.58 at the network perimeter and configure intrusion detection systems to alert on any inbound connections from this address. Systems running SMBv1 should be audited and the protocol disabled where feasible, as it is a known attack vector. Deploying tools such as fail2ban or equivalent rate-limiting mechanisms can reduce the impact of any residual scanning activity. Operators who identify this IP in their logs should treat it as a confirmed compromise indicator and conduct internal host forensic analysis to rule out secondary infections.
RO 
PH 
UA 
VN