Summary (Bottom Line Up Front)
Our sensors detected sustained automated probe activity from IP 79.124.62.134 (Bulgaria/AS207812) between April 1-June 9, 2026, targeting multiple network services including MySQL. This appears to be low-sophistication scanning traffic from known malicious infrastructure with minimal immediate threat to properly configured networks. Network defenders should verify existing perimeter controls are blocking this known bad actor infrastructure.
Activity Timeline
INITIAL REPORT2026-06-09T21:35:55Z
Source: Analyst Manual Entry
Our sensors detected sustained automated probe activity from IP 79.124.62.134 (Bulgaria/AS207812) between April 1-June 9, 2026, targeting multiple network services including MySQL. This appears to be low-sophistication scanning traffic from known malicious infrastructure with minimal immediate threat to properly configured networks. Network defenders should verify existing perimeter controls are blocking this known bad actor infrastructure.
Technical details
The source IP generated 44 security events over a 10-week period, primarily consisting of exploit attempts against 9 unique destination ports including MySQL (3306/TCP) and SMB (445/TCP). Activity matched Spamhaus DROP list signatures indicating automated scanning behavior rather than targeted intrusion attempts. The source maintains a maximum AbuseIPDB reputation score (100/100) and operates from CLOUDVPS-NET infrastructure in Sofia, Bulgaria. No novel techniques, CVE exploitation, or advanced persistent threat indicators were observed. Traffic patterns suggest opportunistic scanning for vulnerable services rather than sophisticated attack methodology.
IOCs
IP:79.124.62.134
ASN:207812
COUNTRY:BG
Recommendations
- Block IP 79.124.62.134 and monitor for additional activity from AS207812 (CLOUDVPS-NET) infrastructure
- Verify perimeter firewalls are configured to drop inbound connections to MySQL (3306/TCP) and other database services from external networks
- Implement or validate Spamhaus DROP list integration in security controls to automatically block known malicious infrastructure
- Review logs for any successful connections from this source IP and investigate potentially compromised services
- Consider implementing rate limiting and connection throttling for externally accessible services to mitigate automated scanning impact