139.129.13.203

Summary (Bottom Line Up Front)

A single IP address from Chinese cloud infrastructure conducted sustained SSH protocol abuse targeting port 2200 over a 4-hour period on April 29, 2026, generating over 5,000 events. This activity represents common automated scanning behavior with low threat severity and no evidence of successful exploitation or novel techniques. Network defenders should implement standard SSH hardening measures and monitor for similar scanning patterns. ##

EtherNet/IP SSH TCP TCP/SYN

PROTO_ABUSE

Activity Timeline

INITIAL REPORT2026-04-29T05:47:44Z

Source: Analyst Manual Entry

Technical details

Source: 139.129.13.203 (Qingdao, CN / AS37963 Aliyun Computing Co.)

Timeline: April 29, 2026, 01:00 - 06:00 UTC (4-hour duration)

Volume: 5,065 events targeting SSH services exclusively

Protocols: SSH-2.0 with libssh client library identification

Attack Vector: SSH protocol abuse focusing on non-standard port 2200

Payload Analysis: Standard SSH banner exchange with "SSH-2.0-libssh" client string

MITRE ATT&CK: Likely T1021.004 (Remote Services: SSH) reconnaissance phase

Threat Assessment: Low-sophistication automated scanning with 100/100 AbuseIPDB reputation score

IOCs

IP:139.129.13.203

ASN:37963

COUNTRY:CN

Recommendations

Implement SSH key-based authentication and disable password authentication to mitigate brute force attempts
Configure fail2ban or similar intrusion prevention systems to automatically block repeated SSH connection attempts
Move SSH services from default ports and implement port knocking or VPN access for administrative connections
Monitor network logs for sustained connection attempts from single source IPs, particularly from cloud hosting providers
Block or rate-limit traffic from AS37963 (Aliyun Computing) if not required for legitimate business operations

medium PROTO_ABUSE SSH:2200

SSH-2.0-libssh