Dashboard›🇫🇷 France›141.94.20.103

THREAT REPORT

IP Threat Report
141.94.20.103

ABUSE.MOM — BEHAVE OR GET EXPOSED

Generated: 2026-05-22 11:21:58

First seen: 2026-03-08 18:00:05

Last seen: 2026-03-27 11:00:06

Geolocation & Classification

IP Address

141.94.20.103

Type

Hosting

Country

🇫🇷 France

City

Gravelines

ISP

OVH SAS

Organization

OVH

Autonomous System

AS16276 OVH SAS

Hit Count

Detection Signatures

Signature	Description	Points
Danger strong hits: 1	High-risk paths: shells, RCE vectors, exploits	+25
404 ratio >= 60%	Majority of requests returned 404 — enumeration	+25
Danger strong hits: 3	High-risk paths: shells, RCE vectors, exploits	+75
Foreign referer seen	Referer from unrelated external domain	+10

Σ = 135

Observed Activity

Reconstructed HTTP requests from server access logs. Target domains redacted for security.

[redacted]

GET

200

Requests shown: 1 · HTTP 404: 0 · Dangerous patterns: 0

* Typical request patterns for detected signatures. Actual target domains are redacted.

Timeline

2026-03-08 18:00:05

First malicious request detected

IP entered monitoring from server access logs

During observation

Multiple detection signatures triggered

Danger strong hits: 1 (+25), 404 ratio >= 60% (+25), Danger strong hits: 3 (+75)

2026-03-27 11:00:06

Last malicious request observed

Total score reached: 85/100

Next cycle

IP blocked — all subsequent requests denied (HTTP 403)

Added to blocklist automatically

Network Provider

OVH SAS

AS16276 · 🇫🇷 France

Recommendations

Actions taken & recommended

IP 141.94.20.103 is blocked at application level (HTTP 403)
Consider blocking at firewall level (iptables/CSF) to reduce server load
Report abuse to the network provider via their abuse contact
Ensure sensitive files (.env, .git, backups) are not accessible from the web

🔎 Path Enumeration Protection

Block scanning from 141.94.20.103: rate-limit 404 responses per IP, deploy a honeypot 404 page, ensure no backup files are web-accessible.

Open Ports & Services

Network reconnaissance data from Shodan. Open ports may indicate running services, misconfigurations, or potential attack surfaces.

OPEN PORTS (17)

Port	Service	Risk	Description
21	FTP	Medium	File Transfer Protocol — often targeted for anonymous login attacks
22	SSH	Low	Secure Shell — common brute force target for remote access
53	DNS	Low	DNS server — potential for DNS amplification attacks
80	HTTP	Low	HTTP web server — standard web traffic
110	POP3	Low	Service on port 110
111	Unknown	Low	Service on port 111
143	IMAP	Low	Service on port 143
443	HTTPS	Low	HTTPS web server — encrypted web traffic
465	Unknown	Low	Service on port 465
587	Unknown	Low	Service on port 587
993	IMAPS	Low	Service on port 993
2077	Unknown	Low	Service on port 2077
2082	Unknown	Low	Service on port 2082
2083	Unknown	Low	Service on port 2083
2086	Unknown	Low	Service on port 2086
2087	Unknown	Low	Service on port 2087
5353	Unknown	Low	Service on port 5353

⚠️ 1 high-risk port detected on 141.94.20.103. These services should not be publicly accessible without strict firewall rules.

DETECTED TECHNOLOGIES

canonical:ubuntu_linuxexim:exim:4.99.1openbsd:openssh:9.9p1apache:http_server

Hostnames: favoria.frwww.favoria.frvps-1c4a4d34.vps.ovh.net

PTR: favoria.fr

Data source: Shodan InternetDB. Scanned independently of abuse.mom.

Blacklist Status (DNSBL)

This IP was checked against major DNS-based blacklists used by mail servers and firewalls worldwide.

✓ Clean

Spamhaus ZEN

Checked: Spamhaus, SpamCop, Barracuda, SORBS, CBL, UCEProtect. Results may change over time.

Threat Analysis

141.94.20.103 has been assigned a threat score of 85/100 (Critical). With this rating, the IP falls into the critical severity bracket — among the most dangerous addresses in our monitoring database.

The following attack categories were identified:

Path Enumeration

📊 Threat Analysis

Our monitoring infrastructure has identified 141.94.20.103, geolocated to Gravelines, France, operating on the network of OVH SAS, as a source of suspicious network activity. The address has been active for 18 days in our monitoring system, producing 14 flagged requests at a rate of ~0.8/day. The IP is classified as hosting/datacenter infrastructure, commonly associated with rented servers used for automated attack campaigns, botnet command-and-control, or vulnerability scanning at scale. The IP exhibits directory enumeration behavior, systematically requesting non-existent paths to discover hidden files and misconfigured resources. With 125 flagged addresses, France represents a significant presence in our threat database. At 85/100, this IP warrants immediate defensive action.

This IP belongs to a hosting or data center provider. Malicious traffic from hosting infrastructure often originates from compromised VPS instances, rented servers used for scanning campaigns, or abused free-tier cloud accounts. Hosting providers typically respond to abuse reports within 24-72 hours.

Related Threats

🇫🇷 Top threats from France

185.177.72.67 (348)185.177.72.10 (348)185.177.72.69 (348)185.177.72.29 (348)185.177.72.16 (348)View all →

🏢 Same network: AS16276

51.38.99.224 (280)151.243.236.245 (275)54.37.156.148 (273)146.59.235.113 (263)51.83.98.78 (255)View all →

Security Intelligence

💡 Command Injection Techniques

Command injection occurs when attackers insert operating system commands through application inputs. Successful exploitation grants direct server access, enabling data theft, malware installation, and lateral movement across networks.

💡 Automated Incident Response

Automated response systems can block threats in milliseconds, far faster than human analysts. However, automation requires careful safeguards — rate limits on blocking actions, automatic expiration, and human review queues prevent automated systems from causing self-inflicted outages.

🔍 Check Any IP Address

Share this report:

IP Threat Report141.94.20.103

⛔ Verdict: BLOCK