# IP Intelligence Briefing: 185.111.156.245
## Executive Summary
IP 185.111.156.245 is classified as Moderate Risk (Risk Score: 65/100). The address is associated with Contabo cloud infrastructure and has been flagged across multiple threat intelligence feeds. Recent observation history indicates active threat indicators, with the IP appearing on 3 out of 8 DNS blacklists including high-severity listings.
---
## Technical Profile
Ownership & Infrastructure
- ASN: AS40021
- Organization: Johannes Selg
- Provider: Contabo
- Infrastructure Type: CloudCompute (VPS hosting)
- CIDR Block: 185.111.156.0/24
- Geolocation: Warsaw, Poland (Region 14)
DNS Resolution
- PTR Hostname: vmi2817870.contaboserver.net
- Forward Resolution: vmi2817870.contaboserver.net
- Status: Forward confirmed (1 hostname)
- Email Authentication: No SPF or DMARC records configured
Network Classification
- Cloud Provider: Yes (Contabo)
- Hosting Service: Yes
- Open Ports: None detected
- Service Status: Firewalled / No Services exposed
- Tor Exit Node: No
- Known Attacker: No
- Spam Source: Flagged in threat feeds
---
## Threat Indicators
Current Risk Assessment
- Risk Score: 65/100
- DNSBL Listings: 3/8 total lists (listed)
- Abuse Confidence Score: Not available
- Operator Score: 0.2609 (Basic)
Observed Threat Activity
- Threat Persistence: 1 observation recorded
- Campaign Correlation: No direct campaign matches
- Threat Feeds: Multiple nested threat indicators detected in recent observations
Historical Timeline (21 Total Observations)
| Date | Signal Type | Key Findings |
|---|---|---|
| 2026-06-20 | Threat Indicators | High confidence threat activity (0.85) |
| 2026-06-15 | DNS/Control Plane | Basic operator score (0.60) |
| 2026-06-15 | DNSBL Listings | 3 lists flagged, max severity: high |
| 2026-06-15 | General Profile | 6 dimensions covered, confidence 0.23 |
---
## Neighborhood Analysis
- Subnet: 185.111.156.0/24
- Abuse Density: 1 (moderate)
- Classification: Mostly clean
- Active Siblings: 0
- Threat Siblings: 1
- Inherited Risk: 2
---
## Recommended Security Actions
Immediate Actions
1. Increase logging verbosity and review recent activity from this IP (High Severity)
2. Block at perimeter firewall based on risk profile
Firewall Rules by Platform
iptables:
```bash
iptables -A INPUT -s 185.111.156.245 -j DROP
```
nftables:
```bash
nft add rule inet filter input ip saddr 185.111.156.245 drop
```
nginx:
```nginx
deny 185.111.156.245;
```
pfSense:
```
185.111.156.245/32
```
Cloudflare WAF:
```json
{
"description": "Block 185.111.156.245 โ IPDebrief risk score 65",
"action": "block",
"filter": {
"expression": "ip.src eq 185.111.156.245"
}
}
```
AWS WAF:
```json
{
"Addresses": ["185.111.156.245/32"],
"Description": "IPDebrief risk 65"
}
```
---
## Intelligence Context
The IP address resolves to a VPS instance (vmi2817870.contaboserver.net) hosted on Contabo infrastructure. While no active open services were detected, the presence of DNS blacklisting and recent threat feed activity suggests the address may have been used for malicious purposes previously or is currently compromised. The geolocation data shows inconsistencies between profile (DE) and historical observations (PL), which is common for cloud-hosted infrastructure.
Recommendation: Monitor for renewed activity if unblocked. Implement block rules at perimeter defenses and consider extended logging for forensic analysis if traffic is observed.
---
*Report generated: IPDebrief Intelligence Platform*
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Johannes Selg |
| ASN | AS40021 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | RIPE |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | vmi2817870.contaboserver.net |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
| Forward Hostnames | vmi2817870.contaboserver.net |
๐ DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Infrastructure / Datacenter |
| Service Purpose | Firewalled / No Services |
| Network Tier | Hosting โ Infrastructure provider without advanced routing |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| No open ports detected | |||
| Server | โ |
| HTTP Title | โ |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 35% | 2 | 3 |
| routing | 8% | 1 | 1 |
| services | 8% | 1 | 1 |
| ownership | 20% | 2 | 3 |
| reputation | 28% | 1 | 3 |
| geolocation | 25% | 2 | 2 |
| Overall | 21% | 9 | 13 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-19 21:39:35 UTC |
| Last Seen | 2026-06-28 09:43:40 UTC |
| Profile Built | 2026-06-29 03:48:09 UTC |
| Data Freshness | Live |
| Signal Types | 19 |
| Total Observations | 22 |
Full dossier details are available via our API.