IP Intelligence Briefing: 185.243.218.231
Date: 2026-06-09
---
**1. Core Risk Profile**
- Risk Score: 70 (High Risk)
- Threat Indicators:
- Tor exit node observed (100% confidence).
- DNSBL listing (1/8 lists).
- Ownership:
- ASN: AS56655 (GIGAHOST, Norway).
- Geolocation: Sandefjord, Vestfold, Norway (latitude 59.9452, longitude 10.7559).
- Network Role:
- Identified as a Tor exit node.
- Services: HTTP/HTTPS (ports 80, 443, 8443) with nginx server banner.
- TLS certificate: Issued to `www.a7a6hwrfljclqb6wt.com`, subject `www.fcyahto422cu.net` (self-signed).
---
**2. Temporal Observations**
- First Seen: 2026-06-09 (1 observation).
- Signal Trends:
- Consistent Tor exit node activity.
- No persistent malicious behavior detected.
---
**3. Network Relationships**
- Subnet: 185.243.218.0/24 (GIGAHOST-NET).
- Neighbors (6 total):
- 5 IPs with low risk (scores 25β70).
- 1 IP (185.243.218.225) with elevated risk (66).
- Subnet Abuse Density: 0% (clean).
---
**4. Threat Context**
- Tor Exit Node: High-risk association with Tor network, often used in covert communications or C2 operations.
- SSL Certificate: Self-signed certificate with suspicious domain names (potential phishing or MITM risks).
- DNS Security: DNSSEC validated, but no CAA records detected.
---
**5. Actionable Insights**
- SOC Recommendation:
- Block traffic from this IP unless explicitly required for Tor-related operations.
- Monitor subnets (185.243.218.0/24) for Tor exit node activity.
- Investigate the TLS certificateβs origin to confirm legitimacy.
- Firewall Rules:
- Implement deny rules for this IP in iptables/nftables.
- Add to Cloudflare/AWS WAF blocking lists if applicable.
---
Conclusion: This IP is a Tor exit node with high-risk indicators. While the subnet appears clean, its association with Tor necessitates close monitoring for potential misuse in cyberattacks.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
π’ Ownership & Registration
| Organization | AS56655-MNT |
| ASN | AS56655 |
| Network Name | β |
| CIDR Block | β |
| RIR | RIPE |
| Country | β |
| Abuse Contact | Available via RDAP |
π DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No β PTR hostname does not resolve back to this IP (weak signal) |
π DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
βοΈ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Web Server |
| Network Tier | Unknown β Insufficient routing data to classify |
π Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | β |
| 443 | https | tcp | β |
| 8443 | https-alt | tcp | β |
| Closed Ports | 22, 25, 3389, 8080 (3 open / 7 scanned) | ||
| Server | nginx/1.24.0 (Ubuntu) |
| HTTP Title | β |
π TLS Certificate
CN=www.fcyahto422cu.net was found on this IP. This may indicate a previously hosted website, a decommissioned service, or stale infrastructure.| SANs | None |
| Valid From | 2026-05-07T00:00:00+00:00 |
| Valid Until | 2026-06-11T23:59:59+00:00 (expired) |
| TLS Protocol | Tls13 |
| Cipher Suite | TLS_AES_256_GCM_SHA384 |
| Signature Algorithm | sha256RSA |
| Validity Period | 35 days |
| Serial Number | 30128C14835CE878 |
| Thumbprint | 209840F7261E94A6B4BF80CC978A0891E08BE126 |
π― Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 28% | 2 | 3 |
| routing | 13% | 1 | 1 |
| services | 26% | 2 | 3 |
| ownership | 24% | 2 | 3 |
| reputation | 24% | 1 | 3 |
| geolocation | 27% | 2 | 3 |
| Overall | 24% | 10 | 16 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
π Observation Timeline π Live
| First Seen | 2026-05-22 13:35:43 UTC |
| Last Seen | 2026-06-26 21:06:50 UTC |
| Profile Built | 2026-06-27 19:25:29 UTC |
| Data Freshness | Live |
| Signal Types | 21 |
| Total Observations | 49 |
Full dossier details are available via our API.