IP Threat Report
8.219.87.97
ABUSE.MOM — BEHAVE OR GET EXPOSED
Geolocation & Classification
Detection Signatures
| Signature | Description | Points | Severity |
|---|---|---|---|
| UA suspicious (short/empty) | Behavioral anomaly detected by automated analysis | +15 | |
| Danger strong hits: 2 | High-risk paths: shells, RCE vectors, exploits | +50 | |
| 404 ratio 40-60% | Majority of requests returned 404 — enumeration | +15 | |
| Probe pattern 302->404 same path | Behavioral anomaly detected by automated analysis | +20 | |
| Imported from old blocklist | Behavioral anomaly detected by automated analysis | +0 |
Observed Activity
Reconstructed HTTP requests from server access logs. Target domains redacted for security.
* Typical request patterns for detected signatures. Actual target domains are redacted.
Timeline
Network Provider
Recommendations
Actions taken & recommended
- IP 8.219.87.97 is blocked at application level (HTTP 403)
- Consider blocking at firewall level (iptables/CSF) to reduce server load
- Report abuse to the network provider via their abuse contact
- Ensure sensitive files (.env, .git, backups) are not accessible from the web
🤖 User-Agent Anomaly Defense
IP 8.219.87.97 shows suspicious UA behavior. Block empty User-Agent requests. Implement JavaScript-based bot detection for sensitive endpoints.
🔎 Path Enumeration Protection
Block scanning from 8.219.87.97: rate-limit 404 responses per IP, deploy a honeypot 404 page, ensure no backup files are web-accessible.
Open Ports & Services
Network reconnaissance data from Shodan. Open ports may indicate running services, misconfigurations, or potential attack surfaces.
| Port | Service | Risk | Description |
|---|---|---|---|
| 22 | SSH | Low | Secure Shell — common brute force target for remote access |
| 1013 | Unknown | Low | Service on port 1013 |
| 1022 | Unknown | Low | Service on port 1022 |
| 1023 | Unknown | Low | Service on port 1023 |
| 1024 | Unknown | Low | Service on port 1024 |
| 1025 | Unknown | Low | Service on port 1025 |
| 1027 | Unknown | Low | Service on port 1027 |
| 1080 | Unknown | Low | Service on port 1080 |
| 1099 | Unknown | Low | Service on port 1099 |
| 1110 | Unknown | Low | Service on port 1110 |
| 1153 | Unknown | Low | Service on port 1153 |
| 1181 | Unknown | Low | Service on port 1181 |
| 1195 | Unknown | Low | Service on port 1195 |
| 1198 | Unknown | Low | Service on port 1198 |
| 1200 | Unknown | Low | Service on port 1200 |
| 1207 | Unknown | Low | Service on port 1207 |
| 1234 | Unknown | Low | Service on port 1234 |
| 1291 | Unknown | Low | Service on port 1291 |
| 1292 | Unknown | Low | Service on port 1292 |
| 1311 | Unknown | Low | Service on port 1311 |
| 1337 | Unknown | Low | Service on port 1337 |
| 1388 | Unknown | Low | Service on port 1388 |
| 1400 | Unknown | Low | Service on port 1400 |
| 1414 | Unknown | Low | Service on port 1414 |
| 1433 | MSSQL | High | Service on port 1433 |
| 1443 | Unknown | Low | Service on port 1443 |
| 1444 | Unknown | Low | Service on port 1444 |
| 1447 | Unknown | Low | Service on port 1447 |
| 1451 | Unknown | Low | Service on port 1451 |
| 1454 | Unknown | Low | Service on port 1454 |
| 1457 | Unknown | Low | Service on port 1457 |
| 1471 | Unknown | Low | Service on port 1471 |
| 1521 | Unknown | Low | Service on port 1521 |
| 1554 | Unknown | Low | Service on port 1554 |
| 1599 | Unknown | Low | Service on port 1599 |
| 1604 | Unknown | Low | Service on port 1604 |
| 1605 | Unknown | Low | Service on port 1605 |
| 1650 | Unknown | Low | Service on port 1650 |
| 1723 | PPTP | Low | Service on port 1723 |
| 1741 | Unknown | Low | Service on port 1741 |
| 1801 | Unknown | Low | Service on port 1801 |
| 1911 | Unknown | Low | Service on port 1911 |
| 1925 | Unknown | Low | Service on port 1925 |
| 1926 | Unknown | Low | Service on port 1926 |
| 1935 | Unknown | Low | Service on port 1935 |
| 1962 | Unknown | Low | Service on port 1962 |
| 1965 | Unknown | Low | Service on port 1965 |
| 1966 | Unknown | Low | Service on port 1966 |
| 1970 | Unknown | Low | Service on port 1970 |
| 3389 | RDP | High | Remote Desktop Protocol — primary target for ransomware attacks |
⚠️ Network scanning reveals 1 dangerous service exposed on 8.219.87.97. Exposed RDP (3389) is the #1 entry point for ransomware attacks. These services should not be publicly accessible without strict firewall rules.
| CVE ID | Link |
|---|---|
| CVE-2020-14145 | NVD → |
| CVE-2023-51767 | NVD → |
| CVE-2025-26465 | NVD → |
| CVE-2023-51385 | NVD → |
| CVE-2023-38408 | NVD → |
| CVE-2008-3844 | NVD → |
| CVE-2007-2768 | NVD → |
| CVE-2016-20012 | NVD → |
| CVE-2018-15473 | NVD → |
| CVE-2018-20685 | NVD → |
| CVE-2023-48795 | NVD → |
| CVE-2025-32728 | NVD → |
| CVE-2021-41617 | NVD → |
| CVE-2020-15778 | NVD → |
| CVE-2019-6109 | NVD → |
| CVE-2018-15919 | NVD → |
| CVE-2021-36368 | NVD → |
| CVE-2019-6111 | NVD → |
| CVE-2017-15906 | NVD → |
| CVE-2019-6110 | NVD → |
🔴 Security scanning identified 20 vulnerability entries on this host. This volume strongly suggests severely outdated software. Consult NVD advisories for details.
Data source: Shodan InternetDB. Scanned independently of abuse.mom.
Blacklist Status (DNSBL)
This IP was checked against major DNS-based blacklists used by mail servers and firewalls worldwide.
Checked: Spamhaus, SpamCop, Barracuda, SORBS, CBL, UCEProtect. Results may change over time.
Threat Analysis
8.219.87.97 has been assigned a threat score of 100/100 (Critical). This is a critical-level threat. Systems administrators should treat this IP as hostile and block all inbound connections without exception.
The following attack categories were identified:
📊 Threat Analysis
Our monitoring infrastructure has identified 8.219.87.97, geolocated to Singapore, Singapore, operating on the network of Alibaba (US) Technology Co., Ltd., as a source of suspicious network activity. The address has been active for 1 days in our monitoring system, producing 3 flagged requests at a rate of ~3/day. This is a residential IP address, suggesting a compromised home device such as a router, smart appliance, or infected workstation participating in a botnet. Two attack patterns were identified (User-Agent Anomaly and Path Enumeration), suggesting a semi-automated campaign that targets multiple vulnerabilities. Our records show 107 malicious IPs originating from Singapore, positioning it as a significant contributor to global threat activity. With a threat score of 100/100, this IP is among the most dangerous addresses in our database. Immediate and complete blocking is strongly recommended.
This IP is classified as residential, suggesting it may belong to a compromised home device, IoT botnet member, or an infected personal computer. Residential IPs involved in attacks often indicate malware infection without the owner's knowledge.
Related Threats
🇸🇬 Top threats from Singapore
85.203.23.12 (340)85.203.23.31 (330)84.17.39.195 (325)192.166.246.30 (325)85.203.21.101 (320)View all →Security Intelligence
💡 User-Agent Analysis Techniques
Analyzing User-Agent strings reveals automated tools masquerading as legitimate browsers. Inconsistencies between claimed browser capabilities and actual behavior, impossible version combinations, and known scanner signatures help identify malicious clients.
💡 Threat Intelligence Sharing Frameworks
Standards like STIX/TAXII, MISP, and OpenIOC enable automated sharing of threat intelligence between organizations. Collective defense through shared indicators, tactics, and procedures strengthens the entire security community against common threats.