Summary (Bottom Line Up Front)
Automated SSH brute force activity observed from IP 175.118.127.138 (Seoul, South Korea) targeting network infrastructure with root credential attacks over a 12-day period. Assessed as low-to-medium threat level opportunistic scanning with standard attack patterns. Recommend implementing SSH hardening measures and monitoring for credential abuse attempts. ##
Activity Timeline
INITIAL REPORT2026-05-13T21:55:25Z
Source: Analyst Manual Entry
Automated SSH brute force activity observed from IP 175.118.127.138 (Seoul, South Korea) targeting network infrastructure with root credential attacks over a 12-day period. Assessed as low-to-medium threat level opportunistic scanning with standard attack patterns. Recommend implementing SSH hardening measures and monitoring for credential abuse attempts.
Technical details
Source: 175.118.127.138 (AS9318 SK Broadband Co Ltd, Seoul)
Activity Window: May 1-13, 2026 (193 events over 12 days)
Primary Protocol: SSH targeting port 2200
Attack Vector: Credential brute forcing using root account
Infrastructure Profile: Multiple exposed services (SSH, HTTP, MySQL, custom ports 3000/8080)
Key Indicators: SSH-2.0-libssh banner suggesting automated tooling
Threat Assessment: Opportunistic scanning with no novel techniques observed
IOCs
IP:175.118.127.138
ASN:9318
COUNTRY:KR
Recommendations
- Implement SSH key-based authentication and disable password authentication where possible
- Configure fail2ban or similar intrusion prevention to block repeated failed login attempts
- Change default SSH ports and disable root login via SSH configuration
- Monitor authentication logs for unusual login patterns and credential stuffing attempts
- Consider IP geoblocking for non-business critical systems if South Korean access is not required