Check an IP Address, Domain Name, Subnet, or ASN

109.105.209.7 was found in our database!

$ whois 109.105.209.7

country·🇵🇹 Portugal

isp·Zenlayer Inc

asn·AS21859

network·Standard

$ sikker risk 109.105.209.7scoring →

confidence

100%Very High

first_seen·Jan 20, 2026

last_seen·1h ago

first_reported·Mar 1, 2026

last_reported·5d ago

sessions·451

events·516

reports·5

$ sikker protocols 109.105.209.7

HTTPS

192 / 212 / 3r

IMAP

52 / 52

FTP

44 / 44 / 2r

RTSP

15 / 40

RDP

34 / 34

REDIS

25 / 27

SMB

21 / 21

TELNET

16 / 20

HTTP

16 / 19

DOCKER

9 / 18

SIP

9 / 9

POSTGRES

8 / 8

SSH

3 / 5

MONGODB

5 / 5

ELASTICSEARCH

2 / 2

$ sikker summary 109.105.209.7

109.105.209.7 has a threat confidence score of 100%. This IP address from Portugal (AS21859, Zenlayer Inc) has been observed in 451 honeypot sessions and reported 5 times targeting HTTPS, IMAP, FTP, RTSP, RDP and 10 other protocols. First observed on January 20, 2026, most recently active March 20, 2026.

$ sikker behaviors 109.105.209.7catalog →

mediumRdp Legacy Plaintext Authentication Attempt15x

Identifies RDP clients attempting authentication using the legacy RDP security mode where credentials are exchanged through the older RDP security layer instead of Network Level Authentication (NLA). This indicates the client negotiated legacy plaintext authentication during the RDP security handshake

mediumRtsp Stream Attempt Minus Teardown12x

Client performs a full RTSP interaction sequence — OPTIONS, DESCRIBE, SETUP, and PLAY — indicating an attempt to initialize and access a media stream. This pattern reflects active interaction with a streaming service rather than simple probing, and is commonly seen when automated tools or unauthorized clients try to view exposed camera or RTSP feeds.

mediumJsonrpc Initialize Via Http Get Gitmc9x

Identifies JSON-RPC initialize requests from the gitmc-org-mcp-scanner client delivered via HTTP GET, indicating automated scanning activity using a non-standard transport method for JSON-RPC initialization.

lowRtsp Options Probe1x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

infoFtp Tls Upgrade30x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

infoRedis Info Command Invocation7x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

infoHttp Root Path Request5x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request3x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 109.105.209.7

rtsp_setup58 rtsp_options33 ftp_auth_tls32 rtsp_play29 rtsp_describe29 rdp_legacy_plaintext_authenthication15 http_method_get14 docker_get_method12 http_body_jsonrpc_gitmc_mcp_initialize9 docker_post_method7 redis_info_uppercase7 ftp_control_channel_binary_payload7 elastic_http_get_request4 https_path_root3 imap_logout1 imap_capability_probe1 elastic_root_path_probe1 elastic_http_favicon_path_probe1 redis_command_http_host_header_port_63791

$ sikker reports 109.105.209.7submit →

Showing 5 of 5 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 15, 2026, 15:53	Brute Force	FTP	SikkerGuard: 22 blocked packets
User	Mar 15, 2026, 15:48	Brute Force	FTP	SikkerGuard: 34 blocked packets
User	Mar 13, 2026, 17:50	Brute Force	HTTPS	SikkerGuard: 28 blocked packets
User	Mar 13, 2026, 17:45	Brute Force	HTTPS	SikkerGuard: 6 blocked packets
User	Mar 1, 2026, 14:45	Brute Force	HTTPS	SikkerGuard: 34 blocked packets

$ sikker related 109.105.209.7

Report IP WHOIS Lookup →

IP Address	Confidence	Events
109.105.209.8	89%	185
45.156.131.12	84%	1,973
45.156.131.22	62%	97
45.156.131.7	84%	2,018
185.226.196.7	85%	1,980

IP Address	Confidence	Events
185.226.198.4	99%	409
185.226.198.6	88%	172
185.226.198.5	84%	152
185.180.141.45	81%	221
185.180.141.42	95%	511