107.189.5.249

{ } JSON 🔧 Full Actions API

🤖 Witness AIThis summary was generated by AI and may contain inaccuracies. Verify critical details independently.

INTELLIGENCE BRIEFING: 107.189.5.249/32

Executive Summary

IP address 107.189.5.249 presents moderate risk (score: 59/100) with confirmed Tor exit node characteristics. The IP belongs to BuyVM (ASN: 53667) with infrastructure registered in Luxembourg. Historical observation data indicates consistent routing patterns over the analysis period. The address should be treated with heightened scrutiny due to anonymized traffic patterns and elevated neighborhood abuse density.

Risk Profile

Overall Risk Score: 59/100 (Moderate Risk)
Network Classification: Tor Exit Nodes
Geolocation: US (reported), Luxembourg (technical)
Organization: BuyVM, ASN 53667
Reputation: Moderate risk with 1 blacklist listing

Threat Indicators

Tor exit indicators observed. The IP functions as a Tor exit node, meaning all traffic from this address passes through the Tor anonymity network. Forward DNS resolves to tor-exit.hackb4.2mpd.com with one blacklist listing recorded. TLS certificates show mismatched issuer and subject fields (issuer: CN=www.63zr3x7hmjaz.com, subject: CN=www.ai4xk3p2dj47sbp67l.net), suggesting potential misconfiguration or abuse.

Network Infrastructure

Active services include HTTP (port 80), HTTPS (port 443), SSH (port 22), HTTP-alt (port 8080), and HTTPS-alt (port 8443). Control plane data indicates stable BGP routing via origin ASN 53667 with route stability confirmed. The IP operates within the 107.189.0.0/21 prefix with established peering relationships through ASN 6939.

Neighborhood Analysis

The /24 subnet (107.189.5.0/24) exhibits high abuse classification with 71.43% abuse density. Six neighboring IPs were analyzed, all showing medium risk scores (40-59). Five threat siblings identified within the subnet. Notable neighbors include 107.189.5.7 (risk: 59) and 107.189.5.121 (risk: 59), both with authority scores of 50.

Temporal Analysis

Sixty-two historical observations recorded since the last measurement period. Operator score remained consistent at 0.2609 across all observations. Route stability maintained with zero route changes in the 30-day window. No ownership changes detected. The IP is not persistently malicious with zero threat persistence days.

Relationship Graph

363 relationship connections identified, with multiple entries mapping to network "BUYVM-LUXEMBOURG-02". High interconnectivity within the BuyVM network infrastructure observed.

Recommended Security Actions

Implement enhanced verification protocols for anonymous traffic sources
Increase logging verbosity for activity from this IP
Consider blocking at perimeter firewall (firewall rules available for iptables, nftables, nginx, pfSense, Cloudflare WAF, and AWS WAF)

Conclusion

107.189.5.249 operates as a Tor exit node within a high-abuse subnet. While not flagged as a known attacker or spam source, the Tor exit node classification necessitates defensive controls. The IP should be blocked or subjected to enhanced monitoring based on organizational risk tolerance for anonymized traffic.

This summary was generated by AI and may contain inaccuracies. Verify critical details independently.

🌍 Geolocation

Country	🇺🇸 United States
Region	ME
City	Bissen
Timezone	—
Latitude	49.79
Longitude	6.10

🏢 Ownership & Registration

Organization	BuyVM
ASN	AS53667
Network Name	—
CIDR Block	107.189.0.0/21
RIR	ARIN
Country	—
Abuse Contact	Available via RDAP

🌐 DNS Intelligence

PTR	tor-exit.hackb4.2mpd.com
Forward Confirmed	No — PTR hostname does not resolve back to this IP (weak signal)
Forward Hostnames	`tor-exit.hackb4.2mpd.com`

🔐 DNS Hygiene

Hygiene Score	60% (Good)
SPF	Present
DMARC	Present
FCrDNS	Not verified
DNSSEC	Valid
CAA	Not configured

☁️ Network Classification

Infrastructure	Unknown
Service Purpose	Web Server
Network Tier	Unknown — Insufficient routing data to classify

No specific classification

🔌 Services & Open Ports

Port	Service	Protocol	Banner
80	http	tcp	—
443	https	tcp	—
22	ssh	tcp	SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.16
8080	http-alt	tcp	—
8443	https-alt	tcp	—
Closed Ports	25, 3389 (5 open / 7 scanned)

Server	—
HTTP Title	—
SSH Version	SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.16

🔐 TLS Certificate

🔒

CN=www.fgtk2trfeg3xqjxwb.net

Issued by CN=www.jwn5aelkrc55sbaw.com

Self-signed: No

SANs	None
Valid From	2026-03-30T00:00:00+00:00
Valid Until	2026-07-13T00:00:00+00:00
TLS Protocol	Tls13
Cipher Suite	TLS_AES_256_GCM_SHA384
Signature Algorithm	sha256RSA
Validity Period	105 days
Serial Number	37BE7B471EF1ED7E
Thumbprint	01F703C361912A8198A3407C90C8CF375FFD6DC6

🎯 Confidence Breakdown

Per-dimension confidence scores based on source diversity and data freshness

Dimension	Score	Sources	Observations
threat	26%	2	4
routing	17%	2	3
services	34%	2	3
ownership	30%	3	7
reputation	28%	1	3
geolocation	27%	2	3
Overall	27%	12	23

Coverage: 6/6 dimensions · Data sufficiency: sufficient

Data Coherence	Mostly Consistent (80%) — 1 contradiction(s)
Attribution	Low (35%)
	OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid

⚠ Geo sources disagree on country: LU, US

📅 Observation Timeline 🔄 Live

First Seen	2026-05-22 13:35:44 UTC
Last Seen	2026-06-28 19:28:00 UTC
Profile Built	2026-06-29 07:33:24 UTC
Data Freshness	Live
Signal Types	30
Total Observations	57

🔍 30 signal types · 57 observations collected

This report is generated from 30+ independent intelligence signals including ownership records, DNS analysis, BGP routing, TLS certificates, port scanning, threat feeds, behavioral fingerprinting, and more.
Full dossier details are available via our API.

{ } JSON API 🔧 Actions API 📧 Enterprise Access

ℹ️ About This Report

All data shown is publicly available network metadata — IP addresses do not reliably identify individuals. Assessments are probabilistic and should not be used as sole basis for access control decisions. To report an issue or request data review, contact admin@ipdebrief.com.

107.189.5.249📋 Copy