Check an IP Address, Domain Name, Subnet, or ASN

104.152.52.212 was found in our database!

$ whois 104.152.52.212

country·🇺🇸 United States

isp·Rethem Hosting LLC

asn·AS14987

network·Standard

$ sikker risk 104.152.52.212scoring →

confidence

78%High

first_seen·Jan 20, 2026

last_seen·4h ago

sessions·184

events·255

$ sikker protocols 104.152.52.212

SIP

30 / 46

HTTPS

22 / 32

SMB

31 / 31

SMTP

15 / 28

SSH

20 / 26

POSTGRES

23 / 25

TELNET

11 / 17

HTTP

10 / 12

REDIS

2 / 10

RDP

9 / 9

FTP

3 / 7

RTSP

2 / 4

IMAP

3 / 3

DOCKER

1 / 3

MSSQL

1 / 1

MONGODB

1 / 1

$ sikker summary 104.152.52.212

104.152.52.212 has a threat confidence score of 78%. This IP address from United States (AS14987, Rethem Hosting LLC) has been observed in 184 honeypot sessions targeting SIP, HTTPS, SMB, SMTP, SSH and 11 other protocols. First observed on January 20, 2026, most recently active March 23, 2026.

$ sikker behaviors 104.152.52.212catalog →

mediumMongodb Version Fingerprinting Reconnaissance1x

Remote client performs MongoDB service validation and environment fingerprinting by first initiating a wire-protocol handshake (ismaster / hello) followed by execution of the buildInfo command against the admin database. This sequence indicates targeted reconnaissance to determine server role, software version, build characteristics, and platform details. Such activity is commonly associated with automated scanning frameworks and pre-exploitation tooling used to assess exposure and identify version-specific vulnerabilities prior to authentication attempts or database enumeration

lowRtsp Options Probe2x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

infoHttp Bad Request Route Probe1x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

$ sikker primitives 104.152.52.212

smtp_ehlo_greeting9 smtp_starttls_upgrade_request9 smtp_mail_from_envelope_sender9 smtp_rcpt_to_recipient_declaration9 rtsp_options4 ftp_help_request2 ftp_system_type_request2 ftp_feature_list_request2 http_method_get1 mongodb_ismaster1 empty_ftp_command1 redis_info_uppercase1 http_path_bad_request1 mongodb_buildinfo_admin_command1 ftp_control_channel_binary_payload1

$ sikker related 104.152.52.212

Report IP WHOIS Lookup →

IP Address	Confidence	Events
104.152.52.235	74%	97
104.152.52.144	68%	121
104.152.52.221	80%	124
104.152.52.114	47%	122
104.152.52.125	58%	162

IP Address	Confidence	Events
162.254.3.130	86%	17,995
185.218.138.19	97%	6,618
5.253.86.23	97%	5,557
92.118.39.95	100%	82,457
45.131.194.105	85%	4,375