Check an IP Address, Domain Name, Subnet, or ASN

103.167.243.119 was found in our database!

$ whois 103.167.243.119

country·🇮🇳 India

isp·DEMOTIC TECHNOLOGIES PRIVATE LIMITED

asn·AS141844

network·Standard

$ sikker risk 103.167.243.119scoring →

confidence

100%Very High

first_seen·Feb 17, 2026

last_seen·28d ago

sessions·51

events·51

$ sikker protocols 103.167.243.119

TELNET

51 / 51

$ sikker summary 103.167.243.119

103.167.243.119 has a threat confidence score of 100%. This IP address from India (AS141844, DEMOTIC TECHNOLOGIES PRIVATE LIMITED) has been observed in 51 honeypot sessions targeting TELNET protocols. Detected attack patterns include telnet busybox shell activation with capability check, telnet busybox multi method payload retrieval and execution, telnet shell breakout with busybox payload execution. First observed on February 17, 2026, most recently active February 22, 2026.

$ sikker behaviors 103.167.243.119catalog →

highTelnet Busybox Shell Activation With Capability Check45x

Identifies a Telnet session where BusyBox is leveraged to activate or access a shell environment (sh, shell, system, linuxshell, enable) followed by command capability validation (ping). This pattern reflects deliberate shell breakout and execution-context validation commonly observed in IoT botnets and embedded Linux compromise workflows. The presence of multiple shell invocation variants combined with BusyBox applet usage indicates adaptive execution logic rather than incidental command usage.

highTelnet Busybox Multi Method Payload Retrieval And Execution2x

Identifies a Telnet session where an attacker leverages BusyBox utilities to retrieve a remote payload using one or more file transfer mechanisms (e.g., wget, curl, ftpget, or tftp) followed by execution of the downloaded script via sh. This pattern is consistent with IoT botnet propagation and automated malware deployment.

highTelnet Shell Breakout With Busybox Payload Execution1x

Telnet session exhibiting privilege escalation and shell breakout attempts (enable, system, linuxshell, shell, sh) followed by execution of /bin/busybox with a non-standard or arbitrary applet name. The combination indicates an automated attempt to escape restricted CLI environments and execute a staged or randomly named payload via BusyBox. This pattern is characteristic of IoT/Linux bot deployment frameworks leveraging BusyBox as a universal execution wrapper.

$ sikker primitives 103.167.243.119

telnet_command_sh101 telnet_command_shell48 telnet_command_enable48 telnet_command_system48 telnet_command_linuxshell48 telnet_busybox_unknown_applet_invocation48 telnet_command_ping47 telnet_busybox_wget_execution2 telnet_sh_execute_downloaded_script2 telnet_busybox_ftpget_remote_file_download2 telnet_busybox_tftp_get_remote_file_stdout2 telnet_curl_remote_script_stdout_execution2

$ sikker related 103.167.243.119

🇮🇳·More threats fromIndia→AS·More threats fromDEMOTIC TECHNOLOGIES PRIVATE LIMITED→TELN·More threats targetingTELNET→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
103.167.243.67	44%	144
103.167.243.120	44%	1

IP Address	Confidence	Events
103.24.63.85	85%	4,385
117.236.124.166	48%	52
165.22.218.119	79%	10,041
49.205.198.2	95%	1,045
125.20.228.146	59%	811