IP Threat Report
157.20.82.7
ABUSE.MOM — BEHAVE OR GET EXPOSED
Geolocation & Classification
Detection Signatures
| Signature | Description | Points | Severity |
|---|---|---|---|
| Danger strong hits: 2 | High-risk paths: shells, RCE vectors, exploits | +50 | |
| Danger medium hits: 2 | Medium-risk: admin panels, config files | +20 | |
| Danger medium hits: 1 | Medium-risk: admin panels, config files | +10 | |
| 404 ratio 40-60% | Majority of requests returned 404 — enumeration | +15 | |
| Foreign referer seen | Referer from unrelated external domain | +10 |
Observed Activity
Reconstructed HTTP requests from server access logs. Target domains redacted for security.
* Typical request patterns for detected signatures. Actual target domains are redacted.
Timeline
Network Provider
Recommendations
Actions taken & recommended
- IP 157.20.82.7 is blocked at application level (HTTP 403)
- Consider blocking at firewall level (iptables/CSF) to reduce server load
- Report abuse to the network provider via their abuse contact
- Ensure sensitive files (.env, .git, backups) are not accessible from the web
🔎 Path Enumeration Protection
Block scanning from 157.20.82.7: rate-limit 404 responses per IP, deploy a honeypot 404 page, ensure no backup files are web-accessible.
Open Ports & Services
Network reconnaissance data from Shodan. Open ports may indicate running services, misconfigurations, or potential attack surfaces.
| Port | Service | Risk | Description |
|---|---|---|---|
| 21 | FTP | Medium | File Transfer Protocol — often targeted for anonymous login attacks |
| 22 | SSH | Low | Secure Shell — common brute force target for remote access |
| 25 | SMTP | Medium | SMTP mail server — can be abused for spam relay |
| 53 | DNS | Low | DNS server — potential for DNS amplification attacks |
| 80 | HTTP | Low | HTTP web server — standard web traffic |
| 111 | Unknown | Low | Service on port 111 |
| 143 | IMAP | Low | Service on port 143 |
| 443 | HTTPS | Low | HTTPS web server — encrypted web traffic |
| 465 | Unknown | Low | Service on port 465 |
| 587 | Unknown | Low | Service on port 587 |
| 993 | IMAPS | Low | Service on port 993 |
| 995 | POP3S | Low | Service on port 995 |
| 3306 | MySQL | High | MySQL database — should never be exposed to the internet |
| 8080 | HTTP-Alt | Low | HTTP alternative port — often used for admin panels or proxies |
| 8081 | Unknown | Low | Service on port 8081 |
⚠️ 2 high-risk ports detected on 157.20.82.7. These services should not be publicly accessible without strict firewall rules.
| CVE ID | Link |
|---|---|
| CVE-2017-15906 | NVD → |
| CVE-2008-3844 | NVD → |
| CVE-2026-35414 | NVD → |
| CVE-2022-3620 | NVD → |
| CVE-2019-6111 | NVD → |
| CVE-2023-42116 | NVD → |
| CVE-2007-2768 | NVD → |
| CVE-2024-39929 | NVD → |
| CVE-2022-3559 | NVD → |
| CVE-2018-15919 | NVD → |
| CVE-2023-51385 | NVD → |
| CVE-2025-67896 | NVD → |
| CVE-2023-42119 | NVD → |
| CVE-2020-14145 | NVD → |
| CVE-2018-20685 | NVD → |
| CVE-2023-51766 | NVD → |
| CVE-2023-51767 | NVD → |
| CVE-2021-36368 | NVD → |
| CVE-2016-20012 | NVD → |
| CVE-2020-15778 | NVD → |
| CVE-2022-37451 | NVD → |
| CVE-2018-15473 | NVD → |
| CVE-2025-26465 | NVD → |
| CVE-2023-42114 | NVD → |
| CVE-2021-41617 | NVD → |
🔴 Security scanning identified 32 vulnerability entries on this host. This volume strongly suggests severely outdated software. Consult NVD advisories for details.
Data source: Shodan InternetDB. Scanned independently of abuse.mom.
Blacklist Status (DNSBL)
This IP was checked against major DNS-based blacklists used by mail servers and firewalls worldwide.
Checked: Spamhaus, SpamCop, Barracuda, SORBS, CBL, UCEProtect. Results may change over time.
Threat Analysis
157.20.82.7 has been assigned a threat score of 85/100 (Critical). This places it in the critical threat category. Immediate blocking is strongly advised across all network perimeters.
The following attack categories were identified:
📊 Threat Analysis
Our monitoring infrastructure has identified 157.20.82.7, geolocated to Vinhomes Ocean Park, Vietnam, operating on the network of Interdigi Joint Stock Company, as a source of suspicious network activity. The address has been active for 1 days in our monitoring system, producing 2 flagged requests at a rate of ~2/day. The IP is classified as hosting/datacenter infrastructure, commonly associated with rented servers used for automated attack campaigns, botnet command-and-control, or vulnerability scanning at scale. Active path scanning has been detected — this IP probes for hundreds of common file and directory names. With 101 flagged addresses, Vietnam represents a significant presence in our threat database. A threat score of 85/100 places this IP in the high-risk category. Blocking at the firewall level is recommended.
This IP belongs to a hosting or data center provider. Malicious traffic from hosting infrastructure often originates from compromised VPS instances, rented servers used for scanning campaigns, or abused free-tier cloud accounts. Hosting providers typically respond to abuse reports within 24-72 hours.
Related Threats
🇻🇳 Top threats from Vietnam
103.216.118.66 (273)210.2.86.189 (235)103.61.123.221 (235)116.118.47.174 (235)14.225.32.188 (235)View all →🏢 Same network: AS151858
View all →Security Intelligence
💡 Directory Traversal Attacks
Path traversal attacks attempt to access files outside the intended directory by manipulating file path references. Attackers use sequences like ../ to reach sensitive system files such as /etc/passwd or application configuration files.
💡 Subnet-Level vs IP-Level Blocking
When multiple IPs in a subnet show malicious behavior, subnet blocking efficiently neutralizes the threat. However, overly broad blocking risks impacting legitimate users. Analysis of subnet ownership and historical behavior guides appropriate blocking scope.