Check an IP Address, Domain Name, Subnet, or ASN

104.152.52.228 was found in our database!

$ whois 104.152.52.228

country·🇺🇸 United States

isp·Rethem Hosting LLC

asn·AS14987

network·Standard

$ sikker risk 104.152.52.228scoring →

confidence

85%Very High

first_seen·Jan 20, 2026

last_seen·2h ago

first_reported·Feb 25, 2026

last_reported·Feb 25, 2026

sessions·118

events·161

reports·1

$ sikker protocols 104.152.52.228

SMB

29 / 29

SMTP

12 / 26

FTP

3 / 21

SSH

15 / 19 / 1r

SIP

14 / 14

HTTPS

11 / 14

POSTGRES

11 / 11

MSSQL

10 / 10

MONGODB

3 / 5

HTTP

2 / 4

TELNET

3 / 3

RDP

2 / 2

ELASTICSEARCH

2 / 2

REDIS

1 / 1

$ sikker summary 104.152.52.228

104.152.52.228 has a threat confidence score of 85%. This IP address from United States (AS14987, Rethem Hosting LLC) has been observed in 118 honeypot sessions and reported 1 times targeting SMB, SMTP, FTP, SSH, SIP and 9 other protocols. First observed on January 20, 2026, most recently active April 5, 2026.

$ sikker behaviors 104.152.52.228catalog →

mediumMongodb Version Fingerprinting Reconnaissance1x

Remote client performs MongoDB service validation and environment fingerprinting by first initiating a wire-protocol handshake (ismaster / hello) followed by execution of the buildInfo command against the admin database. This sequence indicates targeted reconnaissance to determine server role, software version, build characteristics, and platform details. Such activity is commonly associated with automated scanning frameworks and pre-exploitation tooling used to assess exposure and identify version-specific vulnerabilities prior to authentication attempts or database enumeration

lowFtp Control Channel Protocol Anomaly1x

FTP session where an empty control-channel command is observed in conjunction with non-printable binary data on the control channel. This pattern reflects malformed or non-FTP-compliant input, commonly seen during TLS handshake attempts on plaintext endpoints, protocol confusion, or automated scanner misfires.

infoHttp Root Path Request1x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoRedis Info Command Invocation1x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

$ sikker primitives 104.152.52.228

ftp_control_channel_binary_payload6 smtp_ehlo_greeting2 elastic_root_path_probe2 elastic_http_get_request2 smtp_mail_from_envelope_sender2 smtp_rcpt_to_recipient_declaration2 http_method_get1 ftp_help_request1 mongodb_ismaster1 empty_ftp_command1 redis_info_uppercase1 ftp_system_type_request1 ftp_feature_list_request1 https_favicon_ico_request1 smtp_starttls_upgrade_request1 mongodb_buildinfo_admin_command1

$ sikker reports 104.152.52.228submit →

Showing 1 of 1 report from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Feb 25, 2026, 23:05	Brute Force	SSH	SikkerGuard: 2 blocked packets

$ sikker related 104.152.52.228

Report IP WHOIS Lookup →

IP Address	Confidence	Events
104.152.52.218	62%	108
104.152.52.222	73%	107
104.152.52.215	69%	152
104.152.52.224	44%	95
104.152.52.225	69%	188

IP Address	Confidence	Events
205.210.31.107	98%	437
20.65.193.254	82%	176
43.162.109.139	96%	3,478
71.184.116.177	80%	1,252
209.222.101.54	99%	57,110