Ssh Comprehensive Host Reconnaissance Sequence

Identifies an SSH session performing broad system, network, identity, filesystem, and service enumeration in a single execution sequence. The behavior combines environment fingerprinting (kernel, CPU, uptime), user and credential surface inspection (/etc/passwd, /etc/shadow, history), network topology discovery (interfaces, routes, listening ports), process and service inventory, writable directory validation, and connectivity testing. This pattern reflects automated post-compromise host profiling used by botnets, cryptominers, and lateral-movement frameworks to determine system suitability and operational value.

Observed IPs

Avg Confidence

97%

Severity

high

Top IPs by event countSSH

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
103.179.119.185	100%	88,813	3,425	🇮🇳 IN	AS151106	2026-02-06
103.192.198.90	94%	47,679	10,194	🇮🇳 IN	AS59187	2026-02-28
43.228.157.22	100%	47,647	1,258	🇵🇰 PK	AS205759	2026-02-10
103.53.231.159	100%	33,878	3,548	🇻🇳 VN	AS131427	2026-02-27
207.46.224.87	100%	33,679	970	🇸🇬 SG	AS8075	2026-02-22
125.212.248.44	100%	29,679	808	🇻🇳 VN	AS7552	2026-02-22
162.217.98.180	100%	25,843	25,706	🇺🇸 US	AS32475	2026-03-02
103.91.248.29	100%	25,641	676	🇮🇳 IN	AS151106	2026-02-11
103.192.199.143	100%	22,493	841	🇮🇳 IN	AS59187	2026-02-07
103.174.103.249	100%	20,297	3,719	🇮🇳 IN	AS133719	2026-02-22
60.204.251.28	100%	8,403	595	🇨🇳 CN	AS55990	2026-02-09
103.61.122.229	100%	7,842	6,034	🇻🇳 VN	AS135905	2026-03-02
103.99.37.82	100%	5,482	210	🇮🇳 IN	AS151734	2026-02-02
103.192.198.194	93%	5,210	5,115	🇮🇳 IN	AS59187	2026-02-28
23.97.62.138	100%	4,561	129	🇸🇬 SG	AS8075	2026-02-03
207.46.224.88	100%	3,767	157	🇸🇬 SG	AS8075	2026-02-05
128.199.24.142	100%	3,249	3,155	🇮🇳 IN	AS14061	2026-03-03
207.46.224.81	100%	2,888	76	🇸🇬 SG	AS8075	2026-02-05
23.97.62.113	100%	2,804	88	🇸🇬 SG	AS8075	2026-02-07
207.46.224.85	98%	2,696	261	🇸🇬 SG	AS8075	2026-02-19