Severe Risk
IP 85.11.167.7 is a critical-risk address originating from Bulgaria, operated by ColocaTel Inc. under ASN AS213438, that has generated 311 abuse reports across automated honeypot sensors over a four-month window from March to June 2026, with a dominant pattern of PostgreSQL brute-force intrusion attempts indicating sustained, automated credential-cracking activity against database authentication endpoints.
The subject IP achieved a near-perfect 98% confidence score across 20 separate honeypot sensor detections, with an activity frequency rated 8 out of 10, reflecting persistent rather than sporadic engagement. The report corpus breaks down into 15 general hacking-category incidents and 9 brute-force-specific events, collectively painting a picture of an address dedicated to database-layer intrusion. The sustained four-month reporting period from first to last detection demonstrates deliberate, ongoing operation rather than opportunistic scanning, with 311 total reports indicating high-volume automated tooling deployed against exposed PostgreSQL services across multiple target environments.
The PostgreSQL brute-force activity observed against this IP represents a concrete credential-stuffing threat: automated tools systematically cycling through authentication attempts against database login interfaces, aiming to compromise administrative or application database accounts. A successful breach would grant attackers direct access to sensitive data stores, enabling data exfiltration, lateral movement into connected applications, or deployment of secondary payloads. The "attack connection" pattern notation confirms active session establishment attempts, not merely port scanning, elevating the immediacy of risk for any PostgreSQL instance exposed to this address.
Operators running PostgreSQL or related database services should block IP 85.11.167.7 at the network perimeter firewall level and implement strict connection allowlisting. Enabling multi-factor authentication for database administrative access and enforcing strong, non-default credentials significantly raises the cost of successful brute-force campaigns. Configuring account lockout thresholds and leveraging tools such as fail2ban or equivalent intrusion-prevention systems to automatically tempo rarily block repeated authentication failures from this source will disrupt the observed pattern. Continuous monitoring of authentication logs for source IP 85.11.167.7 remains advisable given the sustained nature of reports.
AE 
RO 
JP 
BE 
AR 
KR 
AU