194.163.170.234

Summary (Bottom Line Up Front)

IP address 194.163.170.234 (Contabo GmbH/FR) conducted a sustained credential brute force attack against telnet services on 2026-04-04 between 07:00-10:00 UTC, generating over 64,000 authentication attempts. This represents a medium-severity threat with high confidence due to the systematic nature and inherent telnet security risks. Immediate IP blocking and telnet service hardening are recommended.

BACnet TCP TCP/SYN TELNET Telnet

CREDENTIAL_CAPTURE

Activity Timeline

INITIAL REPORT2026-04-05T16:44:48Z

Source: Analyst Manual Entry

Technical details

The attack originated from a Contabo-hosted VPS (194.163.170.234) with a maximum AbuseIPDB reputation score of 100/100, indicating confirmed malicious activity. The threat actor employed systematic credential brute forcing (MITRE T1110.001) exclusively targeting telnet services over a 3-hour window. Attack patterns included 10,170 authentication retry attempts and 5,116 direct authentication attempts, totaling 64,146 events against a single destination port. The attacker's infrastructure exposed additional services on ports 22, 8017, and 8080, suggesting a multi-purpose attack platform. No CVEs were exploited, and the activity aligns with opportunistic credential harvesting rather than targeted intrusion.

IOCs

IP:194.163.170.234

ASN:51167

COUNTRY:FR

Recommendations

Block IP 194.163.170.234 at network perimeter and consider blocking the entire Contabo ASN51167 range if operationally feasible
Immediately disable telnet services and migrate to SSH with key-based authentication where remote access is required
Implement account lockout policies and rate limiting on all authentication services to mitigate brute force attempts
Deploy network segmentation to isolate critical systems from internet-facing services
Monitor for similar attack patterns against other plaintext protocols (FTP, HTTP basic auth) and proactively harden these services