# IP Intelligence Briefing: 92.118.39.29/32
## Executive Summary
The target IP address 92.118.39.29 was classified as a moderate risk multi-service host with an overall risk score of 40. The address operates within a /24 subnet exhibiting elevated abuse density, with 23 of 40 sibling IPs flagged as threats. Historical observation data indicates consistent moderate-risk classification over the monitoring period with no evidence of persistent malicious activity.
## Network Classification and Ownership
The IP address was identified as belonging to ASN 47890 under RIPE NCC registration. The profile indicated an abuse contact role object with geolocation data pointing to the Netherlands (NL) with regional assignment to Texas, Dallas. The address operated as a multi-service host rather than a cloud, CDN, VPN, or proxy service.
## Service Fingerprint and Port Exposure
Network scans revealed the target host running:
- Port 80/TCP: HTTP service running Apache/2.4.58 (Ubuntu)
- Port 22/TCP: SSH service running OpenSSH_9.6p1 Ubuntu-3ubuntu13.16
The HTTP fingerprint showed standard Apache headers with HTTP/1.1 protocol support, 200 OK response status, and a time-to-first-byte (TTFB) of 265ms. The server lacked HSTS, Content Security Policy, or HTTP/2 configuration.
## Threat Indicators and Reputation
Threat indicators analysis returned no known malicious activity. The IP was not identified as:
- A Tor exit node
- A known attacker
- A spam source
Blacklist analysis showed zero blacklist entries despite one DNSBL listing across eight monitored lists. Campaign correlation returned no matches, with zero correlated IPs and zero certificate subject matches.
## Neighborhood Analysis
The target IP resides within the 92.118.39.0/24 subnet, which demonstrated high abuse classification. The neighborhood analysis revealed:
- 40 total sibling IPs in the /24 subnet
- 25 active siblings currently observed
- 23 threat siblings flagged for malicious activity
- Abuse density of 0.575 (profile) / 0.3 (neighborhood report)
Risk distribution within the subnet showed 12 high-risk IPs, 26 medium-risk IPs, and 2 low-risk IPs. Notable high-risk neighbors included:
- 92.118.39.62: Risk score 80
- 92.118.39.72: Risk score 80
- 92.118.39.92: Risk score 65
- 92.118.39.145: Risk score 80
## Control Plane and Routing
BGP routing data showed the origin ASN as 47890 with BGP prefix 92.118.39.0/24. The route exhibited instability, with isRouteStable flagged as false. RPKI state and IRR consistency data returned null values. DNSSEC validation was confirmed as valid.
## Historical Observation Trends
The monitoring system recorded 19 observations over the observation period. Signal types included network classification, ownership, geolocation, reputation, and routing data. Confidence levels ranged from 0.21 to 0.30 across observations. The timeline showed:
- Recent observations as of 2026-06-24
- Consistent geolocation inference to NL with 225km accuracy radius
- No significant changes in threat persistence or ownership over the monitoring window
- Threat persistence days recorded at 0
## Relationship Graph
The IP relationship graph returned 15 relationships, all classified as "Same Network" type with target values of "DMZHOST." No external relationships to hostnames, organizations, or certificates were identified.
## Recommendations
Based on the moderate risk classification and subnet-level abuse density, the following defensive measures are recommended:
1. Monitor closely: The subnet's high abuse classification (0.575 density) warrants enhanced monitoring of this IP and its neighbors
2. Block SSH port 22: Standard hardening measure for exposed SSH services
3. Monitor HTTP activity: Port 80 traffic should be logged and analyzed for anomalies
4. Watch neighborhood: The 23 threat siblings within the /24 subnet suggest coordinated abuse activity may exist
5. No immediate block: The moderate risk score (40) and lack of direct threat indicators suggest continued monitoring rather than immediate blocking
## Conclusion
IP 92.118.39.29 presents as a moderately risky multi-service host within a high-abuse subnet. While the IP itself showed no direct threat indicators, the neighborhood context and elevated abuse density suggest maintaining elevated vigilance. The address operated consistently throughout the observation period with no evidence of escalation or persistent malicious behavior.
This summary was generated by AI and may contain inaccuracies. Verify critical details independently.
๐ข Ownership & Registration
| Organization | Abuse contact role object |
| ASN | AS47890 |
| Network Name | โ |
| CIDR Block | โ |
| RIR | RIPE |
| Country | โ |
| Abuse Contact | Available via RDAP |
๐ DNS Intelligence
| PTR Record | No PTR |
| Forward Confirmed | No โ PTR hostname does not resolve back to this IP (weak signal) |
๐ DNS Hygiene
| Hygiene Score | 20% (Poor) |
| SPF | Not configured |
| DMARC | Not configured |
| FCrDNS | Not verified |
| DNSSEC | Valid |
| CAA | Not configured |
โ๏ธ Network Classification
| Infrastructure | Unknown |
| Service Purpose | Multi-Service Host |
| Network Tier | Unknown โ Insufficient routing data to classify |
๐ Services & Open Ports
| Port | Service | Protocol | Banner |
|---|---|---|---|
| 80 | http | tcp | โ |
| 22 | ssh | tcp | |
| Closed Ports | 25, 443, 3389, 8080, 8443 (2 open / 7 scanned) | ||
| Server | Apache/2.4.58 (Ubuntu) |
| HTTP Title | โ |
| SSH Version | SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.16 |
๐ TLS Certificate
| SANs | None |
| Valid From | โ |
| Valid Until | โ |
๐ฏ Confidence Breakdown
Per-dimension confidence scores based on source diversity and data freshness
| Dimension | Score | Sources | Observations |
|---|---|---|---|
| threat | 27% | 2 | 3 |
| routing | 13% | 1 | 1 |
| services | 24% | 2 | 3 |
| ownership | 27% | 2 | 3 |
| reputation | 13% | 1 | 2 |
| geolocation | 19% | 2 | 2 |
| Overall | 20% | 10 | 14 |
| Data Coherence | Consistent (100%) |
| Attribution | Moderate (50%) |
| OwnershipFCrDNSGeo ConsensusGeo PlausibleIRR MatchRPKI Valid |
๐ Observation Timeline ๐ Live
| First Seen | 2026-05-07 23:04:42 UTC |
| Last Seen | 2026-06-24 01:12:56 UTC |
| Profile Built | 2026-06-24 01:21:13 UTC |
| Data Freshness | Live |
| Signal Types | 18 |
| Total Observations | 18 |
Full dossier details are available via our API.