Check an IP Address, Domain Name, Subnet, or ASN

101.36.104.242 was found in our database!

$ whois 101.36.104.242

country·🇯🇵 Japan

city·Tokyo

isp·UCLOUD INFORMATION TECHNOLOGY HK LIMITED

asn·AS135377

network·Standard

$ sikker risk 101.36.104.242scoring →

confidence

100%Very High

first_seen·Jan 20, 2026

last_seen·16h ago

first_reported·Mar 1, 2026

last_reported·Mar 13, 2026

sessions·488

events·3,549

reports·2

$ sikker protocols 101.36.104.242

HTTPS

115 / 1,536

HTTP

141 / 1,439 / 1r

TELNET

52 / 242

DOCKER

120 / 235

SSH

60 / 97 / 1r

$ sikker summary 101.36.104.242

101.36.104.242 has a threat confidence score of 100%. This IP address from Japan (AS135377, UCLOUD INFORMATION TECHNOLOGY HK LIMITED) has been observed in 488 honeypot sessions and reported 2 times targeting HTTPS, HTTP, TELNET, DOCKER, SSH protocols. Detected attack patterns include http mass web rce exploitation scanning, docker remote exec via api. First observed on January 20, 2026, most recently active April 12, 2026.

$ sikker behaviors 101.36.104.242catalog →

highHttp Mass Web Rce Exploitation Scanning119x

Coordinated automated exploitation attempts targeting public-facing web services, including PHPUnit eval-stdin access, PHP-CGI argument injection, Docker API exposure, directory traversal, ThinkPHP invokeFunction abuse, and command execution patterns (wget/curl pipe to shell). Identifies opportunistic bot-driven RCE scanning and framework-specific exploit chaining against internet-exposed applications.

highDocker Remote Exec Via Api23x

Attacker interaction with an exposed Docker Engine API resulting in container enumeration followed by remote command execution inside running containers. The sequence of GET /containers/json and subsequent POST /containers/{id}/exec and /exec/{id}/start calls represents deliberate hands-on-keyboard activity where the adversary uses the Docker daemon as a control plane to execute commands, deploy payloads, or pivot further within the host environment. This behavior reflects active container abuse observed directly through high-interaction honeypot instrumentation.

$ sikker primitives 101.36.104.242

http_method_get5564 http_php_echo_md5_hello_phpunit_marker4884 docker_post_method357 php_phpunit_md5_marker333 http_body_wget_curl_pipe_to_sh_selfrep264 http_thinkphp_invokefunction_call_user_func_array_md5264 http_php_cgi_allow_url_include_auto_prepend_input_injection264 docker_container_exec_path238 http_php_shell_exec_base64_decode_cve_2024_4577_attempt150 http_cgi_bin_direct_bin_sh_access132 http_phpunit_eval_stdin_php_path_access132 http_phpunit_license_eval_stdin_path_probe132 http_docker_api_containers_json_path_access132 http_phpunit_util_php_eval_stdin_path_access132 http_root_phpunit_src_eval_stdin_path_access132 http_root_phpunit_util_eval_stdin_path_access132 http_double_vendor_phpunit_eval_stdin_path_probe132 http_phpunit_src_util_php_eval_stdin_path_access132 http_root_phpunit_util_php_eval_stdin_path_access132 http_lang_parameter_deep_path_traversal_tmp_index1132

$ sikker reports 101.36.104.242submit →

Showing 2 of 2 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 13, 2026, 10:56	Brute Force	HTTP	SikkerGuard: 2 blocked packets
User	Mar 1, 2026, 16:45	Brute Force	SSH	SikkerGuard: 2 blocked packets

$ sikker related 101.36.104.242

🇯🇵·More threats fromJapan→AS·More threats fromUCLOUD INFORMATION TECHNOLOGY HK LIMITED→HTTP·More threats targetingHTTPS→HTTP·More threats targetingHTTP→TELN·More threats targetingTELNET→DOCK·More threats targetingDOCKER→SSH·More threats targetingSSH→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
101.36.106.113	100%	1,128
152.32.247.233	96%	2,595
107.150.117.60	96%	1,243
118.193.56.172	93%	347
152.32.216.180	96%	1,373

IP Address	Confidence	Events
13.231.239.44	97%	2,931
133.18.220.155	96%	1,598
137.220.227.200	96%	5,624
43.128.233.120	96%	6,867
52.193.244.90	97%	1,199