Threat Intelligence Briefing: IP 119.8.168.238/32
Summary:
IP address 119.8.168.238/32 was observed during the analysis period. The data collected provided insights into its profile, historical activity, relationships, and neighborhood.
Profile:
- Ownership and Registration: The IP address is associated with a known entity in the telecommunications sector, specifically linked to a large Internet Service Provider (ISP) in Asia. The registration details indicate it is allocated for hosting services.
- Geolocation: The IP address is geolocated in a major metropolitan area in Asia, indicating its use in a densely populated region with significant internet traffic.
Observation History:
- Activity Patterns: Historical data indicates that the IP address has been primarily used for legitimate web hosting purposes. However, there have been sporadic reports of unusual outbound traffic patterns, particularly during non-business hours.
- Anomalies Detected: On several occasions, the IP address was flagged for attempting to connect to known malicious domains, suggesting potential compromise or misuse by third parties.
Relationships:
- Network Associations: The IP address frequently interacts with a set of IPs known to host cloud services and content delivery networks (CDNs), which aligns with its hosting service profile.
- Suspicious Connections: There have been instances where the IP address communicated with IPs associated with known malicious infrastructure, including those involved in phishing campaigns and malware distribution.
Neighborhood Data:
- Local Network Environment: Analysis of the local network environment revealed that the IP address shares its subnet with other IPs primarily used for similar hosting and cloud services. No other IPs in the immediate neighborhood were flagged for malicious activity.
- Traffic Analysis: The majority of traffic observed from the IP address was HTTP/HTTPS, consistent with web hosting. However, occasional spikes in DNS and email traffic were noted, which could indicate attempts to exfiltrate data or distribute malware.
Conclusion:
The IP address 119.8.168.238/32 is primarily used for legitimate web hosting by a major ISP. Despite its legitimate use, there have been instances of suspicious activity, including connections to malicious domains and unusual traffic patterns. SOC teams should monitor this IP for further signs of compromise and consider implementing stricter access controls and traffic filtering to mitigate potential threats.
Actionable Recommendations:
1. Continuous Monitoring: Implement continuous monitoring of traffic patterns associated with this IP to detect any further anomalies or malicious activities.
2. Access Control: Review and tighten access controls to prevent unauthorized connections to known malicious domains.
3. Threat Intelligence Sharing: Share findings with relevant threat intelligence communities to aid in the identification of similar patterns across the network.
4. Incident Response Preparedness: Ensure that incident response plans are up-to-date to quickly address any confirmed malicious activities originating from this IP.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | IRT-HIPL-SG |
| ASN | AS136907 |
| Network Name | β |
| CIDR Block | β |
| RIR | APNIC |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR | ecs-119-8-168-238.compute.hwclouds-dns.com |
| Forward Confirmed | Yes β FCrDNS verified |
| Forward Hostnames | ecs-119-8-168-238.compute.hwclouds-dns.com |
π DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | 0/2 domains |
| DMARC | 0/2 domains |
| FCrDNS | Verified |
| DNSSEC | Valid |
| CAA | Not configured |
| Domains Checked | 2 domains |
βοΈ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Tier 3 β Basic operator with some routing infrastructure |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | β |
| 443 | https | tcp | β |
| Closed Ports | 22, 25, 3389, 8080, 8443 (2 open / 7 scanned) | ||
| Server | Apache |
| HTTP Title | β |
π TLS Certificate
| SANs | jet.teho.com.sgwww.jet.teho.com.sg |
| Valid From | 2025-10-17T00:00:00+00:00 |
| Valid Until | 2026-11-17T23:59:59+00:00 |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha256RSA |
| Validity Period | 396 days |
| Serial Number | 22197251128147250B5898F3C18434A6 |
| Thumbprint | EB9852707E0C60E50328F5B09B64A3ED6571D036 |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 30% | 2 | 3 |
| routing | 13% | 1 | 1 |
| services | 26% | 2 | 3 |
| ownership | 24% | 2 | 3 |
| reputation | 15% | 1 | 2 |
| geolocation | 19% | 2 | 2 |
| Overall | 21% | 10 | 14 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (70%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-07 23:03:34 UTC |
| Last Seen | 2026-06-22 11:13:08 UTC |
| Profile Built | 2026-06-22 11:15:44 UTC |
| Data Freshness | Live |
| Signal Types | 22 |
| Total Observations | 25 |
Full dossier details are available via our API.