Substantial Risk
IP 65.49.1.172 is a high-risk address with a threat level of 8 out of 10, operated through Hurricane Electric's AS6939 network in the United States. This IP has generated 570 total abuse reports across 20 automated honeypot sensors since August 2025, with activity continuing through June 2026, making it one of the most persistently reported addresses in recent threat intelligence. The dominant threat category is general hacking activity, supplemented by exploitation of vulnerable hosts and targeted attacks against Internet of Things infrastructure.
The evidence indicates sustained, multi-vector hostile activity originating from this address. Of the 570 reports, 17 document general hacking attempts including unauthorized access attempts and exploitation activity, while 2 reports confirm the IP has been used as an exploited host platform and 1 report specifically notes IoT targeting. Suricata sensors detected both spurious TCP retransmission anomalies and application-layer protocol mismatches, patterns commonly associated with reconnaissance and exploit delivery. The Redis attack pattern detected suggests the infrastructure is being leveraged for database-focused intrusion attempts. With an activity frequency rated 8 out of 10, this represents persistent automated scanning rather than opportunistic or isolated probing.
Hacking activity of this magnitude poses concrete risks to exposed services. The combination of TCP manipulation, protocol confusion, and database-targeted attacks indicates sophisticated threat actors seeking to compromise servers, exfiltrate data, or enroll the target in botnet infrastructure. The presence of exploited-host behavior suggests this IP itself may have been compromised and is being used as a pivot point by external attackers, or alternatively that it is infrastructure deliberately weaponized for sustained campaigns. Organizations with exposed Redis instances, legacy IoT devices, or unpatched services face the highest exposure to the attack patterns documented emanating from this source.
Site operators should immediately block 65.49.1.172 at the network perimeter and monitor logs for any associated connection attempts. Implement fail2ban or equivalent rate-limiting rules to automatically block repeated authentication failures. Ensure all Redis deployments are firewalled from external access and require strong authentication. Patch exposed services, segment IoT devices onto isolated network zones, and disable unnecessary protocols that facilitate the protocol-mismatch attacks observed. Consider filing an abuse report with Hurricane Electric to alert the network operator to the malicious activity originating from their infrastructure.
RO 
IR 
ES 
BG 
EE 
FR