213.95.149.22
IP Intelligence Briefing: 213.95.149.22
*Generated via IPDebrief Analysis*
---
**1. Core Threat Profile**
- Risk Score: 70 (High Risk)
- Threat Indicators:
- Tor exit node activity observed
- Blacklisted in 1 DNSBL (DNS-Based Open Resolver Pollution)
- No known malware campaigns or spam associations
- Network Role: Tor exit node (single-service host)
- Geolocation: Nuremberg, Bavaria, Germany (latitude 51.17, longitude 10.45)
---
**2. Ownership & Infrastructure**
- ISP: Noris Network (ASN 12337, RIPE registry)
- Network Classification:
- Subnet: 213.95.149.22/24 (abuse density: 0%)
- No malicious siblings or neighbors detected
- Services:
- Open SSH port (22/tcp) with banner: *"SSH-2.0-OpenSSH_10.0p2 Debian-7"*
- No TLS certificates or HTTP services detected
---
**3. Temporal Observations (Last 30 Days)**
- Signal Stability:
- 14 total observations (12/24 signals analyzed)
- Consistent Tor exit node classification (confidence: 0.29โ0.90)
- No significant changes in risk profile or network behavior
- Threat Persistence:
- No persistent malicious activity (threat persistence days: 0)
---
**4. Relationships & Dependencies**
- DNS Associations:
- PTR hostname: `tor.m-u.xyz` (linked to Tor exit node)
- No email authentication (SPF/DKIM/DARC) detected
- Network Relationships:
- Same network as `SMURF-EXTERN-NET` (likely internal or shared infrastructure)
- No direct ties to known malicious organizations or subnets
---
**5. Recommended Actions**
- Network Segmentation: Isolate traffic to/from Tor exit nodes to prevent misuse.
- Firewall Rules:
- Block SSH access to this IP unless explicitly required.
- Filter traffic to `tor.m-u.xyz` for further investigation.
- Monitoring:
- Track DNS queries to `tor.m-u.xyz` for potential command-and-control (C2) activity.
- Monitor for new Tor exit nodes in the 213.95.0.0/16 range.
---
Conclusion:
This IP is a Tor exit node linked to `tor.m-u.xyz`, which may be used for anonymized malicious activity. While the subnet shows no abuse, the Tor association and DNS ties warrant close monitoring. SOC teams should prioritize blocking Tor exit nodes and investigate the linked domain for potential threats.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | noris network netmaster |
| ASN | AS12337 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | RIPE |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR | tor.m-u.xyz |
| Forward Confirmed | Yes โ FCrDNS verified |
| Forward Hostnames | tor.m-u.xyz |
๐ DNS Hygiene
| Hygiene Score | 40% (Fair) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Single-Service Host |
| Network Tier | Tier 3 โ Basic operator with some routing infrastructure |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 22 | ssh | tcp | |
| Closed Ports | 25, 80, 443, 3389, 8080, 8443 (1 open / 7 scanned) | ||
| Server | โ |
| HTTP Title | โ |
| SSH Version | SSH-2.0-OpenSSH_10.0p2 Debian-7 |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 22% | 2 | 4 |
| routing | 13% | 1 | 1 |
| services | 15% | 2 | 2 |
| ownership | 24% | 2 | 3 |
| reputation | 24% | 1 | 3 |
| geolocation | 27% | 2 | 3 |
| Overall | 21% | 10 | 16 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (70%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-22 13:35:43 UTC |
| Last Seen | 2026-06-26 21:06:49 UTC |
| Profile Built | 2026-06-27 17:09:45 UTC |
| Data Freshness | Live |
| Signal Types | 24 |
| Total Observations | 53 |
Full dossier details are available via our API.