ITMD logo

IP Intelligence Lookup

View geolocation, threat activity, WHOIS, blacklist status, and supporting network context in one report.

5.61.209.224

Report created 2026-05-26 16:00:46 UTC

100
/ 100
Critical
Risk Factors
  • 6 URL feed(s) listed
  • Malicious (1): firehol_level1
  • honeypot activity (6351 events)
How is this score calculated?
119 threat feeds checked 5,214,886 total feed entries

AI Threat Assessment

The IP address 5.61.209.224 presents a Critical threat (risk score 100) and is owned by Amarutu Technology Ltd (AS206264), a hosting provider in the Seychelles. This rating is due to its confirmed malicious status across multiple threat intelligence feeds, including FireHOL Level 1-3, IPsum, and Binary Defense, and its high-volume interaction with honeypots (6,351 events in 48 hours). The open port 22 (SSH) on the attacker's machine, with a specific software banner, indicates potential scanning or brute-force activity. Given the confirmed malicious categorization and high-volume attack patterns, the recommended action is to block this IP at the network perimeter.

Location & Network

Where this IP address is physically located and which internet provider or organisation owns it. The map pin shows the approximate location IP geolocation is accurate to the city level at best.

CountrySeychelles (SC)
World RegionAfrica Sub-Saharan Africa Eastern Africa
RegionN/A
CityN/A
ASNAS206264
OrganizationAmarutu Technology Ltd
TimezoneIndian/Mahe
Lat / Lon-4.5833, 55.6667

WHOIS

The official registration record for the IP address block. It shows who was allocated this range of IPs, how to contact their abuse team, and when the record was last updated.

CIDR Block5.61.209.0/24
IP Range5.61.209.0 5.61.209.255
Net NameAMARUTU-NL16
OrganisationAMARUTU-TECHNOLOGY - Amarutu Technology Ltd, SC
CountryNetherlands  Europe Western Europe
Created2025-09-18
Updated2025-09-18
Abuse Emailabuse@koddos.com
Statusactive

Threat Flags

Whether this IP appears in known Tor, proxy, or VPN databases. Click a True badge to see exactly which feeds flagged it.

Malicious True
Tor ExitFalse
ProxyFalse
VPN / AnonymousFalse

TLS Certificate

The security certificate this server presents when you connect over HTTPS. It proves the server's identity and enables encrypted communication. Click any row label to read a plain-English explanation of that field.

Port 443 not reachable or no certificate.

Honeypot Activity

Whether this IP has been seen attacking honeypots decoy systems set up to attract and log malicious traffic. Hits here are a strong indicator of scanning or attack activity.

This IP has been observed in honeypot activity
Count6351
FoundTrue
Ip5.61.209.224
Time Range48h

Open Ports

Ports that are actively accepting connections on this IP right now. Each open port corresponds to a service or application. Unexpected open ports can indicate misconfiguration or malicious software.

PortServiceBanner
22SSHSSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.15

Traceroute

The network path packets travel from this server to the target IP, hop by hop. Each row is a router along the way. The map shows the geographic path the traffic takes across the internet.

#AddressCountryASN / OrgTypeRTT
6128.241.7.62United StatesAS2914 NTT America, Inc.Public0.38 ms
7129.250.3.9United StatesAS2914 NTT America, Inc.Public131.72 ms
8212.222.114.46SwitzerlandAS3257 GTT Communications Inc.Public106.23 ms
9129.250.2.110United StatesAS2914 NTT America, Inc.Public111.57 ms
10129.250.3.249United StatesAS2914 NTT America, Inc.Public112.39 ms
11129.250.5.150United StatesAS2914 NTT America, Inc.Public115.83 ms
12129.250.2.75United StatesAS2914 NTT America, Inc.Public115.73 ms
135.61.209.224 destSeychellesAS206264 Amarutu Technology LtdPublic
6
7
8
9
10
11
12
13
Leaflet OSM

Blacklist & Feed Checks

This IP was checked against hundreds of threat intelligence feeds and DNS blacklists maintained by security organisations worldwide. A Listed result means the IP appears in that feed, which may indicate malicious activity, spam, or abuse. Not every listing means active danger some feeds are conservative and flag IPs for minor or historical reasons.

URL Feed Checks

FeedURLEntriesStatus
EmergingThreatshttp://rules.emergingthreats.net/blockrules/compromised-ips.txt
IPs known to host malware, botnets, or other malicious content, compiled by the Proofpoint Emerging Threats research team.		516Not Listed
AlienVaulthttp://reputation.alienvault.com/reputation.data
Community-driven feed aggregating IPs reported for malicious activity from security researchers worldwide.		609Not Listed
BlocklistDEhttp://www.blocklist.de/lists/bruteforcelogin.txt
IPs caught brute-forcing login pages, auto-reported by servers running the blocklist.de honeypot agent.		647Not Listed
Feodohttp://rules.emergingthreats.net/blockrules/compromised-ips.txt
IPs associated with Feodo/Emotet banking trojan infrastructure.		516Not Listed
Abuse.ch Feodo Trackerhttps://feodotracker.abuse.ch/downloads/ipblocklist.txt
Command-and-control servers for the Feodo/Emotet banking trojan family, tracked by abuse.ch.		5Not Listed
Abuse.ch SSLBLhttps://sslbl.abuse.ch/blacklist/sslipblacklist.txt
IPs communicating with malware over SSL, identified by abuse.ch via SSL certificate fingerprints.		0Not Listed
CINS Armyhttps://cinsscore.com/list/ci-badguys.txt
IPs scoring poorly on the CINS (Collective Intelligence Network Security) reputation system based on internet background noise.		15000Not Listed
Spamhaus DROPhttps://www.spamhaus.org/drop/drop.txt
Netblocks Spamhaus recommends blocking entirely hijacked or leased IP space used exclusively for criminal activity.		1610Not Listed
Spamhaus EDROPhttps://www.spamhaus.org/drop/edrop.txt
Extended DROP: suballocated netblocks controlled by spam gangs or criminal organisations not yet in DROP.		0Not Listed
FireHOL Level 1https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset
The strictest FireHOL blocklist IPs that are almost certainly hostile with very few false positives. Suitable for all networks.		4452LISTED
Emerging Threats botcchttps://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
Known botnet command-and-control IPs actively instructing malware, from Emerging Threats rule sets.		1651Not Listed
Greensnowhttps://blocklist.greensnow.co/greensnow.txt
IPs attacking SSH servers, reported by a globally distributed network of honeypots run by greensnow.co.		5982Not Listed
FireHOL Level 2https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level2.netset
A broader known-bad IP set aggregated from multiple reputable threat intelligence feeds.		17849LISTED
FireHOL Level 3https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level3.netset
Extended threat coverage including lower-confidence but still significant threat sources.		13654LISTED
FireHOL Level 4https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level4.netset
Widest FireHOL coverage; includes IPs flagged across numerous historical and current threat datasets.		81359Not Listed
FireHOL Abusers 1dhttps://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_1d.netset
IPs that performed abusive scanning or attack activity within the last 24 hours.		4087Not Listed
FireHOL Abusers 30dhttps://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_abusers_30d.netset
IPs with confirmed abusive behaviour in the past 30 days.		136663Not Listed
FireHOL Anonymoushttps://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_anonymous.netset
Aggregated Tor exit nodes, VPNs, and open proxies sources used to mask the true origin of traffic.		2246409Not Listed
FireHOL Webclienthttps://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_webclient.netset
IPs known to originate malicious web-based attacks including drive-by exploits and web scraping campaigns.		334Not Listed
Tor Exit Nodeshttps://check.torproject.org/torbulkexitlist
Official Tor Project list of active exit nodes IPs that relay anonymous Tor traffic onto the public internet.		1278Not Listed
Tor Exit Nodes Fallbackhttps://check.torproject.org/cgi-bin/TorBulkExitList.py
Official Tor Project bulk exit list script endpoint used as a fallback source when the primary Tor feed is unavailable.		1278Not Listed
Blocklist.de SSHhttp://www.blocklist.de/lists/ssh.txt
IPs that have attempted brute-force attacks against SSH servers, reported via blocklist.de.		4890Not Listed
Blocklist.de SMTPhttp://www.blocklist.de/lists/mail.txt
IPs caught sending spam or attacking mail servers, reported via blocklist.de.		13572Not Listed
IPsumhttps://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt
Aggregated threat intelligence scoring IPs by how many independent blacklists they appear on higher scores mean more sources agree.		122699LISTED
Abuse.ch Feodo Tracker Aggressivehttps://feodotracker.abuse.ch/downloads/ipblocklist_aggressive.txt
Strict version of Feodo Tracker including suspected as well as confirmed C2 hosts.		7607Not Listed
Team Cymru Full Bogonshttps://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt
IP ranges that should never appear on the public internet unallocated, reserved, or private address space.		2939Not Listed
Blocklist.de Allhttp://www.blocklist.de/lists/all.txt
Combined blocklist.de feed covering all attack types reported across all of their sensors.		23849Not Listed
Blocklist.de Apachehttp://www.blocklist.de/lists/apache.txt
IPs attacking Apache web servers with exploits or brute-force attempts.		8760Not Listed
Blocklist.de Botshttp://www.blocklist.de/lists/bots.txt
Automated bot IPs scraping, scanning, or attacking web services.		2680Not Listed
Blocklist.de SIPhttp://www.blocklist.de/lists/sip.txt
IPs attempting to abuse or brute-force SIP/VoIP telephone systems.		40Not Listed
Blocklist.de StrongIPshttp://www.blocklist.de/lists/strongips.txt
IPs with repeated, severe violations across multiple blocklist.de categories.		292Not Listed
Binary Defensehttps://www.binarydefense.com/banlist.txt
IPs observed performing internet-wide attacks, maintained by Binary Defense Systems' artillery honeypot project.		1206LISTED
StopForumSpam Toxichttps://www.stopforumspam.com/downloads/toxic_ip_cidr.txt
CIDR ranges that are prolific sources of spam forum registrations and automated abuse.		56Not Listed
VoIPBLhttp://www.voipbl.org/update/
IPs targeting VoIP infrastructure with toll fraud, SIP scanning, and brute-force attacks.		90545Not Listed
DShield 1dhttps://raw.githubusercontent.com/firehol/blocklist-ipsets/master/dshield_1d.netset
Top attacking IPs from the last 24 hours compiled by the SANS Internet Storm Center from global firewall logs.		28LISTED
Etnetera Aggressivehttps://security.etnetera.cz/feeds/etn_aggressive.txt
IPs performing active attacks on infrastructure, maintained by the Czech security firm Etnetera.		452Not Listed
Blocklist.de Postfixhttp://www.blocklist.de/lists/postfix.txt
IPs attacking Postfix mail servers, reported via blocklist.de.		13572Not Listed
Mirai Trackerhttps://mirai.security.gives/data/ip_list.txt
IPs actively running or previously running the Mirai IoT botnet, tracked by security researchers.		0Not Listed
FireHOL Proxieshttps://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_proxies.netset
Open and anonymous proxies aggregated from multiple sources, used to relay or anonymise traffic.		2240581Not Listed
Total indicators checked across source URLs: 5067667

DNSBL Results

DNS Blacklists work differently from the URL feeds above. Instead of downloading a file of bad IPs, your system does a live DNS query the same technology used to look up website addresses and asks the blacklist operator in real-time whether this IP is listed. It is faster and always up to date, but it only returns a yes or no with no entry count. The feeds above are bulk lists you download and search locally; DNSBLs are live lookups against someone else's database.

Not listed on any of the 50 checked DNSBLs
DNSBLStatusDetails
b.barracudacentral.orgNot Listed
bl.spamcop.netNot Listed
blacklist.woody.chNot Listed
cbl.abuseat.orgNot Listed
combined.abuse.chNot Listed
combined.rbl.msrbl.netNot Listed
dnsbl.cyberlogic.netNot Listed
dnsbl.sorbs.netNot Listed
drone.abuse.chNot Listed
drone.abuse.chNot Listed
dul.dnsbl.sorbs.netNot Listed
dul.ruNot Listed
dynip.rothen.comNot Listed
http.dnsbl.sorbs.netNot Listed
images.rbl.msrbl.netNot Listed
ips.backscatterer.orgNot Listed
korea.services.netNot Listed
misc.dnsbl.sorbs.netNot Listed
ohps.dnsbl.net.auNot Listed
omrs.dnsbl.net.auNot Listed
osps.dnsbl.net.auNot Listed
osrs.dnsbl.net.auNot Listed
owfs.dnsbl.net.auNot Listed
pbl.spamhaus.orgNot Listed
phishing.rbl.msrbl.netNot Listed
probes.dnsbl.net.auNot Listed
proxy.bl.gweep.caNot Listed
rbl.interserver.netNot Listed
rdts.dnsbl.net.auNot Listed
relays.bl.gweep.caNot Listed
relays.nether.netNot Listed
residential.block.transip.nlNot Listed
ricn.dnsbl.net.auNot Listed
smtp.dnsbl.sorbs.netNot Listed
socks.dnsbl.sorbs.netNot Listed
spam.abuse.chNot Listed
spam.dnsbl.sorbs.netNot Listed
spam.rbl.msrbl.netNot Listed
spam.spamrats.comNot Listed
spamrbl.imp.chNot Listed
t3direct.dnsbl.net.auNot Listed
ubl.lashback.comNot Listed
ubl.unsubscore.comNot Listed
virus.rbl.jpNot Listed
virus.rbl.msrbl.netNot Listed
web.dnsbl.sorbs.netNot Listed
wormrbl.imp.chNot Listed
xbl.spamhaus.orgNot Listed
zen.spamhaus.orgNot Listed
zombie.dnsbl.sorbs.netNot Listed

Recent Jobs

Review queued, running, completed, or failed jobs and jump to their status or final result.

EndpointTargetFormatStatusCreatedAction
ip5.61.209.224htmlrunning2026-05-26 16:00:43Check Status
ip8.8.8.8jsondone2026-05-26 15:50:56Open Result
ip8.8.8.8htmldone2026-05-26 15:50:38Open Result
ip47.84.196.31jsondone2026-05-26 14:15:00Open Result
ip47.84.196.31htmldone2026-05-26 14:14:49Open Result
ip118.193.33.130jsondone2026-05-26 14:10:49Open Result
ip118.193.33.130htmldone2026-05-26 14:10:38Open Result
ip165.154.173.226jsondone2026-05-25 15:54:32Open Result
ip165.154.173.226htmldone2026-05-25 15:54:22Open Result
ip167.99.85.130jsondone2026-05-25 15:47:52Open Result
ip167.99.85.130htmldone2026-05-25 15:47:36Open Result
ip8.8.8.8jsondone2026-05-25 14:27:30Open Result
ip8.8.8.8htmldone2026-05-25 14:27:20Open Result
ip160.153.0.6jsondone2026-05-24 15:48:53Open Result
ip160.153.0.6jsondone2026-05-24 15:48:51Open Result
ip160.153.0.6htmldone2026-05-24 15:48:44Open Result
ip160.153.0.6htmldone2026-05-24 15:48:42Open Result
ip160.153.0.6htmlerror
can't start new thread		2026-05-24 15:48:04Check Status
ip160.153.0.6htmlerror
can't start new thread		2026-05-24 15:48:03Check Status
ip160.153.0.6jsondone2026-05-24 02:53:08Open Result