Check an IP Address, Domain Name, Subnet, or ASN

104.152.52.121 was found in our database!

$ whois 104.152.52.121

country·🇺🇸 United States

isp·Rethem Hosting LLC

asn·AS14987

network·Standard

$ sikker risk 104.152.52.121scoring →

confidence

75%High

first_seen·Jan 21, 2026

last_seen·1h ago

sessions·118

events·143

$ sikker protocols 104.152.52.121

SMB

30 / 31

SIP

17 / 23

SSH

17 / 23

HTTPS

15 / 17

SMTP

12 / 16

POSTGRES

14 / 14

HTTP

4 / 8

TELNET

3 / 5

MSSQL

2 / 2

FTP

1 / 1

IMAP

1 / 1

DOCKER

1 / 1

MONGODB

1 / 1

$ sikker summary 104.152.52.121

104.152.52.121 has a threat confidence score of 75%. This IP address from United States (AS14987, Rethem Hosting LLC) has been observed in 118 honeypot sessions targeting SMB, SIP, SSH, HTTPS, SMTP and 8 other protocols. First observed on January 21, 2026, most recently active March 25, 2026.

$ sikker behaviors 104.152.52.121catalog →

mediumMongodb Version Fingerprinting Reconnaissance1x

Remote client performs MongoDB service validation and environment fingerprinting by first initiating a wire-protocol handshake (ismaster / hello) followed by execution of the buildInfo command against the admin database. This sequence indicates targeted reconnaissance to determine server role, software version, build characteristics, and platform details. Such activity is commonly associated with automated scanning frameworks and pre-exploitation tooling used to assess exposure and identify version-specific vulnerabilities prior to authentication attempts or database enumeration

infoHttps Root Path Request2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoHttp Root Path Request1x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoDocker Invalid Protocol Probe1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

$ sikker primitives 104.152.52.121

http_method_get2 https_path_root2 smtp_ehlo_greeting2 smtp_mail_from_envelope_sender2 smtp_rcpt_to_recipient_declaration2 ftp_help_request1 mongodb_ismaster1 docker_get_method1 docker_bad_request_uri1 ftp_system_type_request1 ftp_feature_list_request1 smtp_starttls_upgrade_request1 mongodb_buildinfo_admin_command1 sip_call_id_alphanumeric_entropy1

$ sikker related 104.152.52.121

Report IP WHOIS Lookup →

IP Address	Confidence	Events
104.152.52.118	48%	121
104.152.52.122	49%	129
104.152.52.100	65%	184
104.152.52.115	77%	160
104.152.52.107	50%	139

IP Address	Confidence	Events
66.132.195.88	71%	19
66.132.186.190	66%	33
66.132.195.49	82%	62
208.3.195.65	100%	101,825
134.209.63.62	50%	52