IP Threat Report
13.206.85.180
ABUSE.MOM — BEHAVE OR GET EXPOSED
Geolocation & Classification
Detection Signatures
| Signature | Description | Points | Severity |
|---|---|---|---|
| Danger strong hits: 299 | High-risk paths: shells, RCE vectors, exploits | +100 | |
| Danger medium hits: 34 | Medium-risk: admin panels, config files | +60 | |
| 404 ratio 40-60% | Majority of requests returned 404 — enumeration | +15 | |
| Burst: 18 req / 2s | Abnormally fast request rate — automated scanning | +35 | |
| Burst: 66 req / 10s | Abnormally fast request rate — automated scanning | +35 | |
| POST requests present | Behavioral anomaly detected by automated analysis | +8 | |
| Danger strong hits: 150 | High-risk paths: shells, RCE vectors, exploits | +100 | |
| Danger medium hits: 30 | Medium-risk: admin panels, config files | +60 | |
| 404 ratio >= 60% | Majority of requests returned 404 — enumeration | +25 | |
| Burst: 19 req / 2s | Abnormally fast request rate — automated scanning | +35 | |
| Burst: 68 req / 10s | Abnormally fast request rate — automated scanning | +35 |
Observed Activity
Reconstructed HTTP requests from server access logs. Target domains redacted for security.
* Typical request patterns for detected signatures. Actual target domains are redacted.
Timeline
Network Provider
Recommendations
Actions taken & recommended
- IP 13.206.85.180 is blocked at application level (HTTP 403)
- Consider blocking at firewall level (iptables/CSF) to reduce server load
- Report abuse to the network provider via their abuse contact
- Ensure sensitive files (.env, .git, backups) are not accessible from the web
🔎 Path Enumeration Protection
Block scanning from 13.206.85.180: rate-limit 404 responses per IP, deploy a honeypot 404 page, ensure no backup files are web-accessible.
🌊 Flood / DDoS Mitigation
Implement limit_req_zone in nginx. Deploy CDN with DDoS protection. Configure SYN cookies and connection tracking to throttle 13.206.85.180.
Open Ports & Services
Network reconnaissance data from Shodan. Open ports may indicate running services, misconfigurations, or potential attack surfaces.
| Port | Service | Risk | Description |
|---|---|---|---|
| 4021 | Unknown | Low | Service on port 4021 |
| 5222 | Unknown | Low | Service on port 5222 |
| 9139 | Unknown | Low | Service on port 9139 |
| 10090 | Unknown | Low | Service on port 10090 |
| 13414 | Unknown | Low | Service on port 13414 |
| 49152 | Unknown | Low | Service on port 49152 |
| CVE ID | Link |
|---|---|
| CVE-2024-42516 | NVD → |
| CVE-2024-24795 | NVD → |
| CVE-2019-10247 | NVD → |
| CVE-2026-22796 | NVD → |
| CVE-2009-3765 | NVD → |
| CVE-2020-7656 | NVD → |
| CVE-2024-38474 | NVD → |
| CVE-2024-0727 | NVD → |
| CVE-2023-0464 | NVD → |
| CVE-2024-43204 | NVD → |
| CVE-2022-2047 | NVD → |
| CVE-2026-22795 | NVD → |
| CVE-2013-2765 | NVD → |
| CVE-2023-0465 | NVD → |
| CVE-2025-49630 | NVD → |
| CVE-2021-34428 | NVD → |
| CVE-2025-53020 | NVD → |
| CVE-2022-4450 | NVD → |
| CVE-2024-40898 | NVD → |
| CVE-2023-0466 | NVD → |
| CVE-2009-2299 | NVD → |
| CVE-2025-65082 | NVD → |
| CVE-2022-2048 | NVD → |
| CVE-2012-3526 | NVD → |
| CVE-2024-38475 | NVD → |
🔴 Security scanning identified 93 vulnerability entries on this host. This volume strongly suggests severely outdated software. Consult NVD advisories for details.
Data source: Shodan InternetDB. Scanned independently of abuse.mom.
Blacklist Status (DNSBL)
This IP was checked against major DNS-based blacklists used by mail servers and firewalls worldwide.
Checked: Spamhaus, SpamCop, Barracuda, SORBS, CBL, UCEProtect. Results may change over time.
Threat Analysis
13.206.85.180 has been assigned a threat score of 263/100 (Critical). With this rating, the IP falls into the critical severity bracket — among the most dangerous addresses in our monitoring database.
The following attack categories were identified:
📊 Threat Analysis
Our monitoring infrastructure has identified 13.206.85.180, geolocated to Mumbai, India, operating on the network of Amazon.com, Inc., as a source of suspicious network activity. Our sensors captured 2 malicious requests from this address across a 1-day span, reflecting a sustained attack cadence of ~2 requests per day. Classified as a hosting IP, this address likely runs on a rented server or cloud instance. Attackers prefer datacenter IPs for their high bandwidth and disposable nature. The dual attack vectors of Path Enumeration combined with Request Flooding indicate a coordinated assault rather than opportunistic scanning. India currently accounts for 20 blocked IPs in our database, making it a notable source of malicious traffic. With a threat score of 263/100, this IP is among the most dangerous addresses in our database. Immediate and complete blocking is strongly recommended.
This IP belongs to a hosting or data center provider. Malicious traffic from hosting infrastructure often originates from compromised VPS instances, rented servers used for scanning campaigns, or abused free-tier cloud accounts. Hosting providers typically respond to abuse reports within 24-72 hours.
Related Threats
Security Intelligence
💡 WordPress-Specific Attack Vectors
WordPress sites face constant automated attacks targeting xmlrpc.php for brute force amplification, wp-login.php for credential theft, and vulnerable plugins for remote code execution. Over 90% of CMS-based attacks specifically target WordPress installations.
💡 Mobile Network Threat Landscape
Mobile carrier NAT (CGNAT) means thousands of users share a single public IP, making mobile IPs unreliable for reputation scoring. However, mobile networks are increasingly used as attack platforms through compromised apps and malicious SDKs.