Check an IP Address, Domain Name, Subnet, or ASN

104.199.4.112 was found in our database!

$ whois 104.199.4.112

country·🇧🇪 Belgium

city·Brussels

isp·Google LLC

asn·AS396982

network·Standard

$ sikker risk 104.199.4.112scoring →

confidence

100%Very High

first_seen·Mar 18, 2026

last_seen·13h ago

first_reported·Mar 21, 2026

last_reported·27d ago

sessions·330

events·330

reports·2

$ sikker protocols 104.199.4.112

FTP

91 / 91 / 1r

ELASTICSEARCH

50 / 50

MONGODB

48 / 48

SMB

32 / 32 / 1r

POSTGRES

32 / 32

HTTP

27 / 27

HTTPS

22 / 22

MYSQL

21 / 21

DOCKER

7 / 7

$ sikker summary 104.199.4.112

104.199.4.112 has a threat confidence score of 100%. This IP address from Belgium (AS396982, Google LLC) has been observed in 330 honeypot sessions and reported 2 times targeting FTP, ELASTICSEARCH, MONGODB, SMB, POSTGRES and 4 other protocols. First observed on March 18, 2026, most recently active April 17, 2026.

$ sikker behaviors 104.199.4.112catalog →

mediumMongodb Containerized Pymongo Environment Enumeration8x

Identifies a structured MongoDB reconnaissance sequence performed by a modern PyMongo client operating from a Kubernetes-orchestrated Linux container. The actor negotiates server capabilities using a hello / ismaster handshake, enumerates server build metadata via buildinfo, performs lightweight database name discovery using listDatabases with nameOnly, and explicitly terminates logical sessions using endSessions. This pattern reflects automated tooling or scripted workflows conducting deployment fingerprinting, access surface mapping, and compatibility validation prior to further database interaction.

mediumFtp Authenticated Directory Reconnaissance1x

FTP session where a client probes for valid usernames, attempts authentication, negotiates transfer settings (ASCII and UTF-8), retrieves the current working directory, changes directories, enters passive mode, issues directory listings, and sends NOOP to maintain the session. This sequence reflects structured post-authentication exploration of the FTP file system to map directory structure and available content.

mediumSmb Authenticated Host And Share Enumeration1x

Composite behavior identifying authenticated SMB activity where a client accesses both IPC$ and data shares, performs root directory reads, and binds to SAMR and SRVSVC RPC interfaces. This sequence is consistent with structured remote enumeration of host configuration, shared resources, and account information, often conducted prior to lateral movement or privilege escalation attempts.

lowFtp Passive Session Initialization24x

FTP session where the client authenticates, queries the working directory, sets transfer mode, and enters passive mode without performing any file transfer or directory listing.

lowFtp Passive Directory Listing18x

FTP session where the client enters passive mode (PASV) and issues a LIST command to retrieve a directory listing from the server.

infoHttp Root Path Request25x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request20x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoHttp Http Method Get12x

HTTP request using GET method.

$ sikker primitives 104.199.4.112

mongodb_ismaster_topology_await_admin206 mysql_select_app_tables_size_from_information_schema168 mysql_select_app_table_columns_from_information_schema168 elastic_http_get_request129 ftp_print_working_directory91 smb_root_read88 elastic_root_path_probe83 ftp_set_ascii_mode47 ftp_set_utf846 ftp_user_probe46 ftp_password_attempt46 ftp_enter_passive_mode45 smb_wildcard_match38 mongodb_ismaster_hellook_client_env_kubernetes_pymongo31 http_method_get26 elastic_http_bad_request_path_probe23 mongodb_buildinfo_admin_lsid_command23 ftp_list_directory21 mysql_set_names_utf8mb321 mysql_disable_autocommit21

$ sikker reports 104.199.4.112submit →

Showing 2 of 2 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 21, 2026, 21:05	Brute Force	FTP	SikkerGuard: 20 blocked packets
User	Mar 21, 2026, 13:21	Brute Force	SMB	SikkerGuard: 20 blocked packets

$ sikker related 104.199.4.112

🇧🇪·More threats fromBelgium→AS·More threats fromGoogle LLC→FTP·More threats targetingFTP→ELAS·More threats targetingELASTICSEARCH→MONG·More threats targetingMONGODB→SMB·More threats targetingSMB→POST·More threats targetingPOSTGRES→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→MYSQ·More threats targetingMYSQL→DOCK·More threats targetingDOCKER→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
205.210.31.135	96%	319
35.199.91.184	94%	1,094
205.210.31.199	100%	421
205.210.31.229	99%	430
198.235.24.201	99%	416

IP Address	Confidence	Events
34.53.175.198	100%	353
35.233.21.145	100%	276
104.155.46.83	99%	164
81.243.106.218	28%	89
34.140.171.60	56%	2