Dashboard🇷🇺 Russia72.56.154.140
ABUSE.MOM
THREAT REPORT

IP Threat Report
72.56.154.140

ABUSE.MOM — BEHAVE OR GET EXPOSED

Generated: 2026-05-27 10:09:14
First seen: 2026-02-20 03:25:05
Last seen: 2026-03-03 00:00:06
140

⛔ Verdict: BLOCK

This IP address has been classified as a source of malicious automated activity. Threat score: 140/100. Total malicious requests observed: 5.

DANGER_PATHRATIO_404REDIRECT_PROBEREFERERBURST
01

Geolocation & Classification

IP Address
72.56.154.140
Type
Residential
Country
🇷🇺 Russia
City
Moscow
ISP
R Fixed Center
Organization
Unknown
Autonomous System
AS209372 WS Telecom Inc
Hit Count
5
02

Detection Signatures

SignatureDescriptionPointsSeverity
Danger medium hits: 4Medium-risk: admin panels, config files+40
404 ratio 40-60%Majority of requests returned 404 — enumeration+15
Probe pattern 302->404 same pathBehavioral anomaly detected by automated analysis+20
Foreign referer seenReferer from unrelated external domain+10
Danger medium hits: 10Medium-risk: admin panels, config files+60
Danger medium hits: 6Medium-risk: admin panels, config files+60
Burst: 5 req / 2sAbnormally fast request rate — automated scanning+35
Danger medium hits: 2Medium-risk: admin panels, config files+20
Σ = 260
03

Observed Activity

Reconstructed HTTP requests from server access logs. Target domains redacted for security.

[redacted]
GET
/
200
[redacted]
GET
/page
200
Requests shown: 2 · HTTP 404: 0 · Dangerous patterns: 0

* Typical request patterns for detected signatures. Actual target domains are redacted.

04

Timeline

2026-02-20 03:25:05
First malicious request detected
IP entered monitoring from server access logs
During observation
Multiple detection signatures triggered
Danger medium hits: 4 (+40), 404 ratio 40-60% (+15), Probe pattern 302->404 same path (+20)
2026-03-03 00:00:06
Last malicious request observed
Total score reached: 140/100
Next cycle
IP blocked — all subsequent requests denied (HTTP 403)
Added to blocklist automatically
05

Network Provider

R Fixed Center
AS209372 · 🇷🇺 Russia
06

Recommendations

Actions taken & recommended

  • IP 72.56.154.140 is blocked at application level (HTTP 403)
  • Consider blocking at firewall level (iptables/CSF) to reduce server load
  • Other malicious IPs detected in the same /24 subnet — consider blocking 72.56.154.0/24
  • Report abuse to the network provider via their abuse contact
  • Ensure sensitive files (.env, .git, backups) are not accessible from the web

🔎 Path Enumeration Protection

Block scanning from 72.56.154.140: rate-limit 404 responses per IP, deploy a honeypot 404 page, ensure no backup files are web-accessible.

🌊 Flood / DDoS Mitigation

Implement limit_req_zone in nginx. Deploy CDN with DDoS protection. Configure SYN cookies and connection tracking to throttle 72.56.154.140.

07

Neighbors in 72.56.154.0/24

Other blocked IPs from the same /24 subnet — indicates systematic abuse from this network range.

72.56.154.161
Score: 220 · Hits: 637
72.56.154.5
Score: 140 · Hits: 6
72.56.154.86
Score: 140 · Hits: 2
72.56.154.227
Score: 105 · Hits: 1
72.56.154.146
Score: 85 · Hits: 5
72.56.154.164
Score: 85 · Hits: 2
09

Blacklist Status (DNSBL)

This IP was checked against major DNS-based blacklists used by mail servers and firewalls worldwide.

⛔ LISTED
Spamhaus ZEN

Checked: Spamhaus, SpamCop, Barracuda, SORBS, CBL, UCEProtect. Results may change over time.

10

Threat Analysis

72.56.154.140 has been assigned a threat score of 140/100 (Critical). This represents a critical risk level. Our detection systems have flagged multiple high-confidence indicators of malicious intent from this address.

The following attack categories were identified:

Path EnumerationRequest Flooding

📊 Threat Analysis

The address 72.56.154.140 originates from Moscow, Russia, operating on the network of R Fixed Center. It was identified through automated analysis of incoming network traffic across monitored endpoints. The address has been active for 10 days in our monitoring system, producing 5 flagged requests at a rate of ~0.5/day. Operating from a residential network, this IP may represent a compromised home gateway or IoT device that has been drafted into a larger attack infrastructure. Two attack patterns were identified (Path Enumeration and Request Flooding), suggesting a semi-automated campaign that targets multiple vulnerabilities. Our records show 193 malicious IPs originating from Russia, positioning it as a significant contributor to global threat activity. A score of 140/100 places this address in the top tier of severity. Block and investigate any historical connections.

This IP is classified as residential, suggesting it may belong to a compromised home device, IoT botnet member, or an infected personal computer. Residential IPs involved in attacks often indicate malware infection without the owner's knowledge.

11

Related Threats

🇷🇺 Top threats from Russia

157.22.102.172 (313)178.130.54.159 (288)72.56.191.6 (265)95.182.125.201 (265)91.240.87.225 (263)View all →

🏢 Same network: AS209372

72.56.159.192 (215)72.56.153.125 (215)72.56.191.123 (215)72.56.152.23 (180)72.56.188.137 (180)View all →
12

Security Intelligence

💡 Directory Traversal Attacks

Path traversal attacks attempt to access files outside the intended directory by manipulating file path references. Attackers use sequences like ../ to reach sensitive system files such as /etc/passwd or application configuration files.

💡 Deception Technology Beyond Honeypots

Modern deception technology deploys fake credentials, decoy files, and breadcrumbs throughout production environments. When attackers interact with these deceptions, high-fidelity alerts trigger with virtually zero false positives.

🔍 Check Any IP Address

Share this report:
AboutDisclaimerTermsAbuse Reports Tracker
Report generated 27.05.2026 10:09
Behave or get exposed