IP Threat Report
159.89.207.41
ABUSE.MOM — BEHAVE OR GET EXPOSED
Geolocation & Classification
Detection Signatures
| Signature | Description | Points | Severity |
|---|---|---|---|
| UA bot: python | Known bot/crawler User-Agent detected | +40 | |
| UA changed for same IP | Multiple User-Agents — bot rotation technique | +25 | |
| Danger strong hits: 9 | High-risk paths: shells, RCE vectors, exploits | +100 | |
| Danger medium hits: 5 | Medium-risk: admin panels, config files | +50 | |
| Burst: 7 req / 2s | Abnormally fast request rate — automated scanning | +35 | |
| Foreign referer seen | Referer from unrelated external domain | +10 |
Observed Activity
Reconstructed HTTP requests from server access logs. Target domains redacted for security.
* Typical request patterns for detected signatures. Actual target domains are redacted.
Timeline
Network Provider
Recommendations
Actions taken & recommended
- IP 159.89.207.41 is blocked at application level (HTTP 403)
- Consider blocking at firewall level (iptables/CSF) to reduce server load
- Report abuse to the network provider via their abuse contact
- Ensure sensitive files (.env, .git, backups) are not accessible from the web
🤖 Bot Detection
Address UA spoofing from 159.89.207.41: maintain blocklist of known malicious UA strings, require consistent UA across sessions, implement TLS fingerprinting.
🌊 Flood / DDoS Mitigation
Implement limit_req_zone in nginx. Deploy CDN with DDoS protection. Configure SYN cookies and connection tracking to throttle 159.89.207.41.
Open Ports & Services
Network reconnaissance data from Shodan. Open ports may indicate running services, misconfigurations, or potential attack surfaces.
| Port | Service | Risk | Description |
|---|---|---|---|
| 22 | SSH | Low | Secure Shell — common brute force target for remote access |
| 80 | HTTP | Low | HTTP web server — standard web traffic |
| 81 | Unknown | Low | Service on port 81 |
| 143 | IMAP | Low | Service on port 143 |
| 234 | Unknown | Low | Service on port 234 |
| 264 | Unknown | Low | Service on port 264 |
| 285 | Unknown | Low | Service on port 285 |
| 311 | Unknown | Low | Service on port 311 |
| 314 | Unknown | Low | Service on port 314 |
| 389 | Unknown | Low | Service on port 389 |
| 400 | Unknown | Low | Service on port 400 |
| 427 | Unknown | Low | Service on port 427 |
| 440 | Unknown | Low | Service on port 440 |
| 441 | Unknown | Low | Service on port 441 |
| 443 | HTTPS | Low | HTTPS web server — encrypted web traffic |
| 444 | Unknown | Low | Service on port 444 |
| 445 | SMB | Critical | SMB file sharing — high-risk for EternalBlue and ransomware |
| 447 | Unknown | Low | Service on port 447 |
| 449 | Unknown | Low | Service on port 449 |
| 451 | Unknown | Low | Service on port 451 |
| 452 | Unknown | Low | Service on port 452 |
| 465 | Unknown | Low | Service on port 465 |
| 480 | Unknown | Low | Service on port 480 |
| 502 | Unknown | Low | Service on port 502 |
| 503 | Unknown | Low | Service on port 503 |
| 513 | Unknown | Low | Service on port 513 |
| 515 | Unknown | Low | Service on port 515 |
| 541 | Unknown | Low | Service on port 541 |
| 548 | Unknown | Low | Service on port 548 |
| 554 | Unknown | Low | Service on port 554 |
| 556 | Unknown | Low | Service on port 556 |
| 587 | Unknown | Low | Service on port 587 |
| 591 | Unknown | Low | Service on port 591 |
| 593 | Unknown | Low | Service on port 593 |
| 631 | Unknown | Low | Service on port 631 |
| 636 | Unknown | Low | Service on port 636 |
| 646 | Unknown | Low | Service on port 646 |
| 666 | Unknown | Low | Service on port 666 |
| 685 | Unknown | Low | Service on port 685 |
| 771 | Unknown | Low | Service on port 771 |
| 772 | Unknown | Low | Service on port 772 |
| 777 | Unknown | Low | Service on port 777 |
| 785 | Unknown | Low | Service on port 785 |
| 789 | Unknown | Low | Service on port 789 |
| 806 | Unknown | Low | Service on port 806 |
| 830 | Unknown | Low | Service on port 830 |
| 833 | Unknown | Low | Service on port 833 |
| 843 | Unknown | Low | Service on port 843 |
| 873 | Unknown | Low | Service on port 873 |
| 880 | Unknown | Low | Service on port 880 |
| 886 | Unknown | Low | Service on port 886 |
| 887 | Unknown | Low | Service on port 887 |
| 902 | Unknown | Low | Service on port 902 |
| 953 | Unknown | Low | Service on port 953 |
| 990 | Unknown | Low | Service on port 990 |
| 992 | Unknown | Low | Service on port 992 |
| 993 | IMAPS | Low | Service on port 993 |
| 995 | POP3S | Low | Service on port 995 |
| 1013 | Unknown | Low | Service on port 1013 |
| 2222 | Unknown | Low | Service on port 2222 |
| 2223 | Unknown | Low | Service on port 2223 |
⚠️ 1 high-risk port detected on 159.89.207.41. SMB (445) exposure is associated with worm propagation and EternalBlue exploits. These services should not be publicly accessible without strict firewall rules.
| CVE ID | Link |
|---|---|
| CVE-2025-23419 | NVD → |
| CVE-2023-44487 | NVD → |
| CVE-2021-23017 | NVD → |
| CVE-2021-3618 | NVD → |
🔴 This host has 4 known CVEs associated with its exposed services. Multiple vulnerabilities suggest gaps in patch management. Review each CVE in the NVD database.
Data source: Shodan InternetDB. Scanned independently of abuse.mom.
Blacklist Status (DNSBL)
This IP was checked against major DNS-based blacklists used by mail servers and firewalls worldwide.
Checked: Spamhaus, SpamCop, Barracuda, SORBS, CBL, UCEProtect. Results may change over time.
Threat Analysis
159.89.207.41 has been assigned a threat score of 220/100 (Critical). A score this high marks a critical threat actor. This address has demonstrated persistent, aggressive malicious behavior across multiple detection vectors.
The following attack categories were identified:
📊 Threat Analysis
Network traffic from 159.89.207.41, located in Singapore, Singapore, operating on the network of DigitalOcean, LLC, has been classified as malicious by our automated threat scoring engine. During its 3-day observation window, we recorded 3 hostile requests from this IP — roughly 1 per day on average. This address belongs to a datacenter or cloud hosting provider. Hosting IPs are frequently leveraged by threat actors who rent cheap VPS instances specifically for conducting attacks. The dual attack vectors of User-Agent Anomaly combined with Request Flooding indicate a coordinated assault rather than opportunistic scanning. With 140 flagged addresses, Singapore represents a significant presence in our threat database. With a threat score of 220/100, this IP is among the most dangerous addresses in our database. Immediate and complete blocking is strongly recommended.
This IP belongs to a hosting or data center provider. Malicious traffic from hosting infrastructure often originates from compromised VPS instances, rented servers used for scanning campaigns, or abused free-tier cloud accounts. Hosting providers typically respond to abuse reports within 24-72 hours.
Related Threats
Security Intelligence
💡 User-Agent Analysis Techniques
Analyzing User-Agent strings reveals automated tools masquerading as legitimate browsers. Inconsistencies between claimed browser capabilities and actual behavior, impossible version combinations, and known scanner signatures help identify malicious clients.
💡 HTTP Header Analysis for Threat Detection
Examining HTTP headers beyond User-Agent reveals attack tools and automated scripts. Missing standard headers, unusual ordering, non-standard values, and inconsistencies with claimed client identity all serve as reliable detection signals.