Check an IP Address, Domain Name, Subnet, or ASN

104.129.23.103 was found in our database!

$ whois 104.129.23.103

country·🇺🇸 United States

isp·HostPapa

asn·AS36352

network·Standard

$ sikker risk 104.129.23.103scoring →

confidence

81%Very High

first_seen·Apr 2, 2026

last_seen·4h ago

sessions·6

events·6

$ sikker protocols 104.129.23.103

HTTP

2 / 2

HTTPS

2 / 2

TELNET

1 / 1

ELASTICSEARCH

1 / 1

$ sikker summary 104.129.23.103

104.129.23.103 has a threat confidence score of 81%. This IP address from United States (AS36352, HostPapa) has been observed in 6 honeypot sessions targeting HTTP, HTTPS, TELNET, ELASTICSEARCH protocols. Detected attack patterns include telnet shell escalation with busybox execution attempt. First observed on April 2, 2026, most recently active April 5, 2026.

$ sikker behaviors 104.129.23.103catalog →

highTelnet Shell Escalation With Busybox Execution Attempt1x

Telnet session exhibiting privilege escalation and shell breakout commands (enable, system, shell, sh) followed by execution of /bin/busybox with a non-standard or arbitrary applet name. The sequence indicates an attempt to escape restricted CLI environments and execute a staged or randomly named payload via BusyBox. The presence of an unknown BusyBox applet strongly suggests automated bot deployment logic rather than legitimate administrative activity.

lowElastic Service Validation And Index Enumeration1x

Client first performs a generic request to the Elasticsearch root endpoint to verify service availability, then proceeds to request /_cat/indices. This sequence reflects staged Elasticsearch reconnaissance where the actor validates that the cluster is reachable before attempting index enumeration and data exposure assessment. Compared to direct index enumeration behaviors, the interaction begins with a service-validation step, suggesting adaptive probing rather than immediate Elasticsearch-specific targeting.

infoHttp Http Method Get1x

HTTP request using GET method.

infoHttp Root Path Request1x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 104.129.23.103

elastic_http_get_request3 elastic_root_path_probe2 http_method_get1 https_path_root1 telnet_command_sh1 telnet_command_shell1 telnet_command_enable1 telnet_command_system1 elastic_cat_indices_enumeration1 telnet_busybox_unknown_applet_invocation1

$ sikker related 104.129.23.103

🇺🇸·More threats fromUnited States→AS·More threats fromHostPapa→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→TELN·More threats targetingTELNET→ELAS·More threats targetingELASTICSEARCH→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
172.245.12.182	87%	9
192.3.226.179	56%	1
192.3.90.20	98%	326
198.46.145.235	82%	6
23.95.156.185	31%	7

IP Address	Confidence	Events
71.184.116.177	79%	1,007
71.43.12.114	71%	160
173.255.229.166	91%	50
185.218.138.28	97%	8,816
209.222.101.54	99%	56,143