Summary (Bottom Line Up Front)
IP address 125.122.156.134 conducted automated SSH reconnaissance against network infrastructure between 29 March 2026 11:00-14:00 UTC, generating 338 connection events. This activity represents low-severity noise-level scanning with standard SSH banner exchanges using 'SSH-2.0-Go' client identifier. No immediate defensive action required beyond standard monitoring.
Activity Timeline
INITIAL REPORT2026-03-30T14:17:10Z
Source: Analyst Manual Entry
IP address 125.122.156.134 conducted automated SSH reconnaissance against network infrastructure between 29 March 2026 11:00-14:00 UTC, generating 338 connection events. This activity represents low-severity noise-level scanning with standard SSH banner exchanges using 'SSH-2.0-Go' client identifier. No immediate defensive action required beyond standard monitoring.
Technical details
- Attack Vector: SSH protocol reconnaissance via automated banner exchange
- Volume: 338 events over 2-hour window targeting single destination port
- MITRE Technique: T1046 (Network Service Scanning) - Reconnaissance phase
- Client Signature: SSH-2.0-Go indicating likely automated tooling
- Threat Assessment: NOISE classification with 95% confidence, novelty score 1/10
- IOC: 125.122.156.134 (source IP)
IOCs
IP:125.122.156.134
Recommendations
- Monitor for escalation to brute-force authentication attempts from this source IP
- Verify SSH service configurations follow organizational hardening standards
- Review SSH access logs for any successful authentication events during the timeframe
- Consider rate-limiting SSH connections if not already implemented
- Document this IP for correlation with future reconnaissance activities