Dashboard›🇺🇸 United States›63.141.248.130

THREAT REPORT

IP Threat Report
63.141.248.130

ABUSE.MOM — BEHAVE OR GET EXPOSED

Generated: 2026-05-22 08:12:03

First seen: 2026-03-09 23:00:05

Last seen: 2026-03-13 18:00:05

Geolocation & Classification

IP Address

63.141.248.130

Type

Residential

Country

🇺🇸 United States

City

Kansas City

ISP

Nocix, LLC

Organization

Moon Networks

Autonomous System

AS33387 Nocix, LLC

Hit Count

Detection Signatures

Signature	Description	Points
Danger medium hits: 4	Medium-risk: admin panels, config files	+40
404 ratio 40-60%	Majority of requests returned 404 — enumeration	+15
Probe pattern 302->404 same path	Behavioral anomaly detected by automated analysis	+20
Burst: 5 req / 2s	Abnormally fast request rate — automated scanning	+35
Foreign referer seen	Referer from unrelated external domain	+10

Σ = 120

Observed Activity

Reconstructed HTTP requests from server access logs. Target domains redacted for security.

[redacted]

GET

200

[redacted]

GET

/page

200

Requests shown: 2 · HTTP 404: 0 · Dangerous patterns: 0

* Typical request patterns for detected signatures. Actual target domains are redacted.

Timeline

2026-03-09 23:00:05

First malicious request detected

IP entered monitoring from server access logs

During observation

Multiple detection signatures triggered

Danger medium hits: 4 (+40), 404 ratio 40-60% (+15), Probe pattern 302->404 same path (+20)

2026-03-13 18:00:05

Last malicious request observed

Total score reached: 120/100

Next cycle

IP blocked — all subsequent requests denied (HTTP 403)

Added to blocklist automatically

Network Provider

Nocix, LLC

AS33387 · 🇺🇸 United States

Recommendations

Actions taken & recommended

IP 63.141.248.130 is blocked at application level (HTTP 403)
Consider blocking at firewall level (iptables/CSF) to reduce server load
Report abuse to the network provider via their abuse contact
Ensure sensitive files (.env, .git, backups) are not accessible from the web

🔎 Directory Scan Defense

IP 63.141.248.130 is enumerating directories. Configure fail2ban apache-404 jail after 10+ 404 errors. Disable directory listings. Normalize all 404 responses.

🌊 Flood / DDoS Mitigation

Implement limit_req_zone in nginx. Deploy CDN with DDoS protection. Configure SYN cookies and connection tracking to throttle 63.141.248.130.

Open Ports & Services

Network reconnaissance data from Shodan. Open ports may indicate running services, misconfigurations, or potential attack surfaces.

OPEN PORTS (6)

Port	Service	Risk	Description
22	SSH	Low	Secure Shell — common brute force target for remote access
25	SMTP	Medium	SMTP mail server — can be abused for spam relay
111	Unknown	Low	Service on port 111
137	Unknown	Low	Service on port 137
445	SMB	Critical	SMB file sharing — high-risk for EternalBlue and ransomware
3128	Unknown	Low	Service on port 3128

⚠️ Network scanning reveals 1 dangerous service exposed on 63.141.248.130. SMB (445) exposure is associated with worm propagation and EternalBlue exploits. These services should not be publicly accessible without strict firewall rules.

DETECTED TECHNOLOGIES

linux:linux_kernelopenbsd:openssh:9.2p1debian:debian_linuxpostfix:postfix

Hostnames: s226619.nocix.netincorp-atiate.gameorphan.com

PTR: s226619.nocix.net

Data source: Shodan InternetDB. Scanned independently of abuse.mom.

Blacklist Status (DNSBL)

This IP was checked against major DNS-based blacklists used by mail servers and firewalls worldwide.

✓ Clean

Spamhaus ZEN

Checked: Spamhaus, SpamCop, Barracuda, SORBS, CBL, UCEProtect. Results may change over time.

Threat Analysis

63.141.248.130 has been assigned a threat score of 120/100 (Critical). This represents a critical risk level. Our detection systems have flagged multiple high-confidence indicators of malicious intent from this address.

The following attack categories were identified:

Path EnumerationRequest Flooding

📊 Threat Analysis

Our monitoring infrastructure has identified 63.141.248.130, geolocated to Kansas City, United States, operating on the network of Nocix, LLC, as a source of suspicious network activity. During its 3-day observation window, we recorded 10 hostile requests from this IP — roughly 3.3 per day on average. This residential IP is likely a compromised consumer device. Home routers and IoT equipment with default credentials are prime targets for botnet operators. The dual attack vectors of Path Enumeration combined with Request Flooding indicate a coordinated assault rather than opportunistic scanning. Our records show 102 malicious IPs originating from United States, positioning it as a significant contributor to global threat activity. A score of 120/100 places this address in the top tier of severity. Block and investigate any historical connections.

This IP is classified as residential, suggesting it may belong to a compromised home device, IoT botnet member, or an infected personal computer. Residential IPs involved in attacks often indicate malware infection without the owner's knowledge.

Related Threats

🇺🇸 Top threats from United States

104.28.246.115 (350)104.28.246.113 (340)104.28.246.116 (340)104.28.235.58 (340)104.28.246.122 (340)View all →

🏢 Same network: AS33387

107.150.45.26 (115)View all →

Security Intelligence

💡 Command Injection Techniques

Command injection occurs when attackers insert operating system commands through application inputs. Successful exploitation grants direct server access, enabling data theft, malware installation, and lateral movement across networks.

💡 Phishing Infrastructure Analysis

Modern phishing operations use sophisticated infrastructure including lookalike domains, valid TLS certificates, and evasion techniques like cloaking and geofencing. Analyzing this infrastructure reveals campaigns before they reach their targets.

🔍 Check Any IP Address

Share this report:

IP Threat Report63.141.248.130

⛔ Verdict: BLOCK