IP Threat Report
185.220.101.181
ABUSE.MOM — BEHAVE OR GET EXPOSED
Geolocation & Classification
Detection Signatures
| Signature | Description | Points | Severity |
|---|---|---|---|
| 404 ratio 40-60% | Majority of requests returned 404 — enumeration | +15 | |
| Foreign referer | Referer from unrelated external domain | +10 | |
| POST seen | Behavioral anomaly detected by automated analysis | +8 | |
| UA bot: Go-http-client | Known bot/crawler User-Agent detected | +40 | |
| UA suspicious | Behavioral anomaly detected by automated analysis | +15 |
Observed Activity
Reconstructed HTTP requests from server access logs. Target domains redacted for security.
* Typical request patterns for detected signatures. Actual target domains are redacted.
Timeline
Recommendations
Actions taken & recommended
- IP 185.220.101.181 is blocked at application level (HTTP 403)
- Consider blocking at firewall level (iptables/CSF) to reduce server load
- Other malicious IPs detected in the same /24 subnet — consider blocking 185.220.101.0/24
- Ensure sensitive files (.env, .git, backups) are not accessible from the web
🔎 Path Enumeration Protection
Block scanning from 185.220.101.181: rate-limit 404 responses per IP, deploy a honeypot 404 page, ensure no backup files are web-accessible.
🤖 User-Agent Anomaly Defense
IP 185.220.101.181 shows suspicious UA behavior. Block empty User-Agent requests. Implement JavaScript-based bot detection for sensitive endpoints.
Neighbors in 185.220.101.0/24
Other blocked IPs from the same /24 subnet — indicates systematic abuse from this network range.
Blacklist Status (DNSBL)
This IP was checked against major DNS-based blacklists used by mail servers and firewalls worldwide.
Checked: Spamhaus, SpamCop, Barracuda, SORBS, CBL, UCEProtect. Results may change over time.
Threat Analysis
185.220.101.181 has been assigned a threat score of 73/100 (High). At this threat level, the IP is considered high risk. Firewall rules should be updated to deny traffic from this source.
The following attack categories were identified:
📊 Threat Analysis
Our monitoring infrastructure has identified 185.220.101.181, geolocated to an unknown location, as a source of suspicious network activity. The address has been active for 6 days in our monitoring system, producing 153 flagged requests at a rate of ~25.5/day. The dual attack vectors of Path Enumeration combined with User-Agent Anomaly indicate a coordinated assault rather than opportunistic scanning. At 73/100, this IP warrants immediate defensive action.
Related Threats
Top threats from ??
View all →Security Intelligence
💡 HTTP Header Analysis for Threat Detection
Examining HTTP headers beyond User-Agent reveals attack tools and automated scripts. Missing standard headers, unusual ordering, non-standard values, and inconsistencies with claimed client identity all serve as reliable detection signals.
💡 Subdomain Takeover Vulnerabilities
Subdomain takeover occurs when DNS records point to decommissioned services. Attackers claim the abandoned resource and serve content under the trusted domain, enabling cookie theft, phishing, and reputation damage.