JavaScript is disabled. Some features of this site may not work properly. For a smoother experience, please enable JavaScript in your browser settings.

AbuseIPDB » 130.94.69.30

130.94.69.30 was found in our database!

This IP was reported 56 times. Confidence of Abuse is 100%: ?

100%

ISP	LIGHT NODE LIMITED
Usage Type	Data Center/Web Hosting/Transit
ASN	AS154177
Domain Name	lightnode.com
Country	🇲🇾 Malaysia
City	Kuala Lumpur, Kuala Lumpur

IP info including ISP, Usage Type, and Location provided by IPInfo. Updated weekly.

Report 130.94.69.30

Whois 130.94.69.30

IP Abuse Reports for 130.94.69.30:

This IP address has been reported a total of 56 times from 30 distinct sources. 130.94.69.30 was first reported on May 30th 2026, and the most recent report was 1 day ago.

Recent Reports: We have received reports of abusive activity from this IP address within the last week. It is potentially still actively engaged in abusive activities.

Reporter	IoA Timestamp (UTC)	Comment	Categories
🇳🇴 tmiland	2026-06-17 08:58:18 (1 day ago)	Suricata Detected 53 attacks from 130.94.69.30.; ET COMPROMISED Known Compromised or Hostile Host Tr ... show more Suricata Detected 53 attacks from 130.94.69.30.; ET COMPROMISED Known Compromised or Hostile Host Traffic group 3; IP: 130.94.69.30; Ports: 53568; Direction: to_server; Trigger: COMPROMISED; Category: Misc Attack; Severity: 2 show less	Exploited Host Brute-Force
🇺🇸 psh-ack	2026-06-16 12:51:40 (2 days ago)	Brute-force SSH login using credential root/12345 across 3 sessions within 18-second window. Attacke ... show more Brute-force SSH login using credential root/12345 across 3 sessions within 18-second window. Attacker deployed 1.7 MB executable disguised as ".dockerd" to /tmp directory. Attack sequence: dropped binary via cat redirection, then executed chmod 777 to grant full permissions before execution. Artifact ".dockerd" (SHA-256: 40803543b470bf588f777f93210ea3d94551872f56a9bd39c41cd7f6fa78c41a) exhibits typical malware staging pattern targeting temporary directories. File naming suggests Docker-related obfuscation to evade detection. No lateral movement, persistence mechanisms, or secondary payloads observed. Likely automated exploitation attempt using weak default credentials. Binary warrants analysis for malware family classification and C2 communications. show less	Brute-Force SSH Hacking
🇺🇸 psh-ack	2026-06-16 07:05:42 (2 days ago)	Brute-force SSH authentication using credential root/12345 across 6 sessions over ~2-hour period. At ... show more Brute-force SSH authentication using credential root/12345 across 6 sessions over ~2-hour period. Attacker successfully authenticated and deployed obfuscated executable disguised as Docker daemon to /tmp/.dockerd (191.6 KB). File: .dockerd, SHA-256: 135bb3cfdcd16046e328fb23519940636ef7c3b0701cb60e4df2011e1d2a9466. Attack chain: credential compromise, file write to world-writable directory, permission escalation (chmod 777), execution setup. Malware family unknown pending analysis. No persistence mechanisms, lateral movement, or C2 callbacks observed in captured traffic. Hidden filename (.dockerd) suggests evasion tactics targeting process enumeration tools. Attacker used generic SSH client with no identifying fingerprints. /tmp location indicates attempt to bypass system-protected directories. No subsequent commands executed post-deployment in captured session data. show less	Brute-Force SSH Hacking
🇺🇸 psh-ack	2026-06-16 01:49:46 (3 days ago)	Credential brute-force (root/12345) via SSH. Attacker established 6 sessions over 4.8 hrs, deployed ... show more Credential brute-force (root/12345) via SSH. Attacker established 6 sessions over 4.8 hrs, deployed hidden executable to /tmp/.dockerd (1.5 MB). File created via cat redirection, chmod 777 applied for world-readable exec—privilege escalation/persistence technique. SHA256:ea72f32257d5f84060255d86438047d51645245dd701f53dde4a2e7bcb2593a1. Staging in /tmp exploits default world-writable perms. Attack pattern: automated scanning + credential stuffing + payload delivery. No lateral movement, port forwarding, or secondary malware detected. Persistence depends on /tmp binary remaining executable across reboots unless cleaned. Unknown SSH client fingerprint suggests modified OpenSSH or custom tool. Recommend: block source IP, scan internal systems for .dockerd artifacts, audit root access logs for successful auth, analyze binary for malware classification and C2 patterns. show less	Brute-Force SSH Hacking
🇺🇸 psh-ack	2026-06-15 20:48:55 (3 days ago)	used libssh2_1.11.1 client across 3 sessions, authenticating with root/12345. Single malicious paylo ... show more used libssh2_1.11.1 client across 3 sessions, authenticating with root/12345. Single malicious payload deployed: created executable file at /tmp/.dockerd via cat redirection, then modified permissions to 777 (world-executable). The filename mimics legitimate Docker daemon binary, suggesting obfuscation intent. No secondary commands executed, downloads observed, or persistence mechanisms installed during captured activity window. Attack pattern indicates staging phase—file creation and permission modification precedes typical execution or lateral movement. Rapid session cycling (15 seconds total) suggests automated scanning/exploitation tool. Credentials root/12345 consistent with default/weak password targeting common across mass SSH scanning campaigns. No evidence of command injection, tunneling attempts, or credential harvesting against other systems. Recommend monitoring for follow-up connections from this IP and blocking root login attempts network-wide. show less	Brute-Force SSH
🇨🇦 polycoda	2026-06-15 10:53:33 (3 days ago)	📡 Port scan	Hacking Web App Attack
Anonymous	2026-06-15 05:09:21 (3 days ago)	<jail> banned by fail2ban	Brute-Force Web App Attack
🇺🇸 sandap1	2026-06-15 04:05:01 (3 days ago)	Blocked by os-abuseipdb; 3 hits, proto=tcp, ports=5901,src_ip=130.94.69.30	Port Scan Hacking
🇺🇸 psh-ack	2026-06-15 03:58:01 (3 days ago)	Brute-force SSH login using credential root/12345 across 6 sessions. Attacker deployed hidden execut ... show more Brute-force SSH login using credential root/12345 across 6 sessions. Attacker deployed hidden executable ".dockerd" (1.7 MB) to /tmp directory with world-readable/writable/executable permissions (chmod 777). File SHA-256: 40803543b470bf588f777f93210ea3d94551872f56a9bd39c41cd7f6fa78c41a. Attack pattern suggests automated credential stuffing followed by malware deployment. The ".dockerd" filename mimics legitimate Docker daemon naming, likely obfuscation tactic. File size and execution permissions indicate potential botnet payload, cryptominer, or backdoor. No command execution, persistence mechanisms via cron/systemd, lateral movement attempts, or secondary payload downloads observed during active sessions. Attacker activity concentrated within 2-hour window. Recommend blocking IP at perimeter, invalidating exposed credentials, isolating affected systems, and analyzing recovered executable for malware classification and C2 communications. show less	Brute-Force SSH Hacking
🇺🇸 psh-ack	2026-06-14 22:11:11 (4 days ago)	exploited weak root credentials (root/12345) across 6 SSH sessions. Deployed .dockerd executable (41 ... show more exploited weak root credentials (root/12345) across 6 SSH sessions. Deployed .dockerd executable (415.1 KB) to /tmp with world-readable permissions (chmod 777). File sha256:d7060817a687da3d305182e9cddd5747832b2288f5bb4065f3e1a3237db705fe exhibits characteristics of container-based malware or botnet agent given Docker-themed naming. Attack chain: credential compromise → file write → execution permission escalation → payload staging. No lateral movement or persistence mechanisms (cron, systemd, ssh keys) observed. No secondary downloads or command execution post-payload deployment detected during observation window. Hidden filename (.dockerd) suggests evasion technique. Likely automated credential scanning followed by opportunistic malware deployment targeting systems with default credentials. Activity consistent with mass-scanning botnet infrastructure targeting SSH services. show less	Brute-Force SSH Hacking
🇺🇸 psh-ack	2026-06-14 19:38:55 (4 days ago)	libssh2_1.11.1 client brute-forced SSH with credential root/12345. Attacker created executable at /t ... show more libssh2_1.11.1 client brute-forced SSH with credential root/12345. Attacker created executable at /tmp/.dockerd via cat redirection, then set world-readable/writable/executable permissions (chmod 777). The .dockerd filename suggests masquerading as a legitimate Docker daemon process for persistence or evasion. No payloads downloaded; command chain indicates staged malware delivery or local exploitation preparation. Three sessions within 17 seconds suggests automated reconnaissance and rapid file staging. No evidence of lateral movement or network callbacks captured, but persistence mechanism (.dockerd in /tmp with full permissions) enables subsequent command execution by any user context. show less	Brute-Force SSH
🇺🇸 psh-ack	2026-06-14 17:22:21 (4 days ago)	Multiple SSH login attempts using weak credentials (root/12345) over 6 sessions spanning 2+ hours. A ... show more Multiple SSH login attempts using weak credentials (root/12345) over 6 sessions spanning 2+ hours. Attacker deployed malware disguised as Docker daemon to /tmp/.dockerd (1.8 MB, sha256:fd3779edc19e7f73eb463328ef81f81f0e07b4bafdbc55ddb12aba949c55f3dd). Attack chain: credential compromise, file write via cat redirection, executable permissions modification (chmod 777). The .dockerd binary appears designed to evade detection through naming convention mimicry. No lateral movement, port forwarding, or persistence mechanisms beyond the dropped executable observed. This represents a direct intrusion attempt with payload deployment, characteristic of mass-scanning botnet activity targeting exposed SSH services with dictionary credentials. show less	Brute-Force SSH Hacking
🇦🇹 centurion	2026-06-14 15:48:05 (4 days ago)	Blocked by UFW on ns03 [5901/tcp] Source port: 42754 TTL: 45 Packet length: 60 TOS: 0x00 This repor ... show more Blocked by UFW on ns03 [5901/tcp] Source port: 42754 TTL: 45 Packet length: 60 TOS: 0x00 This report was generated by: https://github.com/sefinek/UFW-AbuseIPDB-Reporter show less	Port Scan
🇺🇸 psh-ack	2026-06-14 07:33:29 (4 days ago)	Brute-force SSH access using root/12345 credentials across 6 sessions over 2 hours 21 minutes. Singl ... show more Brute-force SSH access using root/12345 credentials across 6 sessions over 2 hours 21 minutes. Single payload delivered: executable ".dockerd" (1.1 MB) placed in /tmp with world-writable permissions via chmod 777. SHA-256: 4888f5b4d3435aa8d215841e6d494fdc8928a2852115ec65bbdd42662864dc69. Attack pattern suggests automated credential spray followed by immediate malware deployment. The ".dockerd" filename indicates potential Docker-related exploitation or masquerading. Executable placed in world-writable temporary directory suggests intent for multi-user access or privilege escalation vector. No lateral movement, persistence mechanisms, or additional reconnaissance observed beyond initial file staging. Standard credential reuse attack with minimal operational sophistication. show less	Brute-Force SSH Hacking
🇩🇪 ghostwarriors	2026-06-14 05:50:39 (4 days ago)	Unauthorized connection attempt detected, SSH Brute-Force	Brute-Force Port Scan SSH

Showing 1 to 15 of 56 reports

Think this IP has been falsely reported? You may request to have the associated reports reviewed and removed. Request Takedown 🚩

Recently Reported IPs:

🇺🇸 216.25.89.87

🇳🇱 195.178.110.132

🇨🇱 190.215.251.212

🇨🇱 190.82.182.238

🇺🇸 174.160.176.173

🇩🇪 158.94.208.36

🇩🇪 152.53.191.99

🇺🇸 147.185.132.136

🇻🇳 113.161.34.150

🇰🇷 110.14.190.221

🇧🇩 103.78.226.181

🇫🇷 91.196.152.35

🇧🇬 91.191.209.46

🇪🇬 81.10.79.119

🇩🇪 69.5.169.103

🇩🇪 2.27.41.1

🇩🇪 2a0a:79c0:1001::c9

🇨🇳 218.66.22.48

🇬🇧 217.146.80.109

🇲🇽 189.203.145.52