Please don't preach to not open streaming to internet. It's not what I'm after.
And sorry about the category. Either one was quite suitable for this general question.

I know two different duo2 boxes in different operator networks having totally different high ports forwarded to https port locally.
The streaming and transcoding ports are also forwarded from other high ports. Streaming also requires a user and a password.
Both boxes are located in europe. The images have been updated, but di

Recently both boxes showed a remote client from this same ip appearing again and again:

https://www.whois.com/whois/188.166.40.32

Both then changed the opened ports to a totally different high ports and passwords were changed as well.

For now the remote client again from this same ip appeared on the other box but not (yet) on the second.
It looks it does not use a tuner and not much data is moving either.

What / who / how can that be? Have anyone else faced anything similar?

I think you answered your own question in your first sentence. These boxes are not secure and opening up ports is asking for trouble.

You need to use a VPN.

So if the box is on a trusted network the hacker has access to all the devices on that network.
This box can also be used for sending unsolicited email and doing DDoS attacks.
Or as a stepping stone for hacking CIA/FBI, etc, and it will all come back to you.

No idea why people don't listen to the advice not to expose these boxes to the public internet.
And no idea how you think this is password protected, it is not, just a couple of ports are password protected.

I know that but that's not the point.
How come one ip hit on several boxes. Without actually streaming anything most likely.
No login either. What kind of connection is concidered as a remote client?
I've never seen any other ip connected. But myself ofcourse.

What kind of connection is concidered as a remote client?Every connection is remote.

IHow come one ip hit on several boxes. Without actually streaming anything most likely.Various bots will try lots of different ports on lots of addresses.
Some will connect.
What they try to do before they disconnect is up to them.
It might just be logged as a port on which there is a listener.
Something else may come along later to (try to) make more use of it.

It's a known attack source.
https://db-ip.com/188.166.40.32

Thank you Birdman and BefuddledBrian!
That's more like what I was after but I didn't find myself. Especially the db-ip site information.