Critical Alert
IP 71.6.199.65 is a critical-risk address, assessed at threat level 10/10, with 248 abuse reports submitted through automated honeypot sensors over approximately nine months between August 2025 and May 2026. Operating from AS10439 under CARINET in the United States, this IP demonstrates a high activity frequency of 8/10 and has been implicated predominantly in hacking activity and exploited-host behavior, indicating that the address is likely being used to conduct automated attacks against exposed network infrastructure.
The volume and diversity of malicious patterns detected from 71.6.199.65 are significant. Honeypot sensors flagged repeated SMB malformed-request dialects probes, SSH session establishment attempts on common ports, scanning activity identified as Zmap user-agent reconnaissance, web application probing through ElasticPot-style sensors, and explicit Redis attack patterns. The co-occurrence of these distinct threat vectors — port scanning, exploitation attempts and compromised-host activity — suggests a sophisticated, multi-purpose attack platform rather than opportunistic noise. With 20 independent honeypot sources reporting this IP and a confidence score of 76%, the evidence base is robust and consistent across multiple detection methodologies.
The dominant threat profile combines reconnaissance scanning with active exploitation attempts. Port scanning enables attackers to map open services and identify vulnerable entry points before launching targeted exploits. The presence of SMB and SSH probing indicates interest in lateral movement and credential-based access, while the Redis attack patterns suggest attempts to compromise in-memory database services commonly exposed in cloud and container environments. The exploited-host classification implies this IP may itself be running attacker-controlled tooling, making it a repeating source of automated threats against any accessible service on the public internet.
Site operators should treat connections originating from 71.6.199.65 as hostile and block them at the network perimeter firewall or web application firewall layer. Implementing fail2ban or equivalent dynamic blocklist tooling that monitors authentication logs for brute-force patterns will further reduce exposure. Exposure of services such as SSH, SMB and Redis to untrusted networks should be minimised through firewall rules restricting source IP ranges, and all such services should be kept fully patched. Providers hosting this IP should consider reviewing their abuse-handling procedures to address potential compromise of the customer or device generating this traffic.
KR 
UA 
RO 
MX 
UG 
FR 
CA