Extreme Threat
IP 79.168.139.28 is a critical-risk address originating from Portuguese telecommunications provider Nos Comunicacoes, S.A. (AS2860) that has been flagged with a maximum threat score of 10/10 based on 242 separate abuse reports submitted over approximately five months between November 2025 and April 2026, indicating sustained malicious activity against internet-facing infrastructure.
Automated honeypot sensors across 20 distinct detection points recorded the overwhelming majority of incidents as SSH-related intrusion attempts, with additional reports categorised as exploited-host activity and general hacking behaviour. The associated attack patterns demonstrate repeated SSH brute-force credential guessing campaigns, corroborated by multiple fail2ban log entries showing systematic password-cracking attempts against SSH services, alongside Suricata intrusion-detection signatures indicating active sessions on expected SSH ports. Despite the high volume of reports, the activity frequency metric of 0/10 suggests the IP may have concentrated its attacks in distinct operational windows rather than maintaining continuous bombardment, a pattern consistent with opportunistic scanning behaviour. The 68% confidence score reflects some inherent uncertainty in attribution, though the breadth of independent sensor detections strongly supports the assessed threat profile.
SSH brute-force attacks represent one of the most prevalent initial-access vectors in internet crime, exploiting weak or default credentials to gain shell access to servers. When an address like 79.168.139.28 is additionally flagged as an exploited host, it suggests the operator's own infrastructure may have been compromised and weaponised without their knowledge, meaning the true origin could extend beyond Portuguese networks. The presence of active SSH sessions on expected ports confirms successful traversal to authentication stages, elevating the risk beyond mere scanning to active credential compromise attempts that could result in unauthorised server access, data exfiltration, or lateral movement within victim networks.
Network defenders should immediately block 79.168.139.28 at the firewall level given its confirmed malicious trajectory. SSH services should be hardened by disabling root login, implementing key-based authentication exclusively, and changing the default listening port to reduce exposure to automated attacks. Deploying or configuring tools such as fail2ban to automatically ban repeated authentication failures provides an additional layer of automated defence against brute-force campaigns. Organisations observing this IP in their logs should audit authentication logs for successful connections, consider alerting their hosting provider about the apparent compromise if the source belongs to their infrastructure, and ensure all SSH daemons remain patched against known vulnerabilities that could facilitate unauthorised access.
MC 
UA 
GB 
IR 
CO