114.220.75.156 — Chinanet, CN — Very High (100%)

Check an IP Address, Domain Name, Subnet, or ASN

114.220.75.156 was found in our database!

Confidence Level

100%

Very High?

Geolocation

🇨🇳

China

ISPChinanet

ASNAS4134

Activity Timeline

First seenJan 20, 2026, 07:19 PM

Last seen20m ago

468Sessions

1,875Events

Protocol Breakdown

TELNET

142 / 656

SSH

262 / 417

HTTP

21 / 414

HTTPS

26 / 330

DOCKER

17 / 58

114.220.75.156 has a very high threat confidence level of 100%, originating from China, on the Chinanet network (4134). It has been observed across 468 sessions targeting TELNET, SSH, HTTP, HTTPS, DOCKER, with detected attack patterns including http mass web rce exploitation scanning, docker remote exec via api, First observed on January 20, 2026, most recently active March 3, 2026.

Behaviors

Classified behavioral patterns observed

Http Mass Web Rce Exploitation Scanning

high9x

Coordinated automated exploitation attempts targeting public-facing web services, including PHPUnit eval-stdin access, PHP-CGI argument injection, Docker API exposure, directory traversal, ThinkPHP invokeFunction abuse, and command execution patterns (wget/curl pipe to shell). Identifies opportunistic bot-driven RCE scanning and framework-specific exploit chaining against internet-exposed applications.

Docker Remote Exec Via Api

high7x

Unauthenticated or externally triggered interaction with the Docker Engine HTTP API resulting in container enumeration (GET /containers/json) followed by multiple POST /containers/{id}/exec and /exec/{id}/start calls. This pattern strongly indicates remote command execution inside running containers through the Docker daemon. In honeypot telemetry this is typically associated with attackers abusing exposed Docker sockets (2375/2376) to gain execution, deploy payloads, or stage further compromise.

Primitives

Individual actions observed

Http Method Get454 Http Php Echo Md5 Hello Phpunit Marker398 Telnet Echo Hex Escape Sequence Output171 Telnet Command Sh82 Telnet Command Shell82 Telnet Command Enable82 Telnet Command System82 Telnet Wget Sh No Check Certificate Quiet Stdout Exec82 Docker Post Method45 Ssh Password Authenthication.35 Http Body Wget Curl Pipe To Sh Selfrep32 Docker Container Exec Path30 Http Php Shell Exec Base64 Decode Cve 2024 4577 Attempt29 Http Php Cgi Allow Url Include Auto Prepend Input Injection29 Https Body Wget Curl Pipe To Sh Apache Selfrep28 Https Php Ini Directive Injection Allow Url Include Auto Prepend File26 Http Thinkphp Invokefunction Call User Func Array Md520 Http Cgi Bin Direct Bin Sh Access16 Http Cgi Bin Percent Encoded Directory Traversal Bin Sh16 Docker Get Method15

Related Threats

Explore related threat intelligence

🇨🇳More threats fromChina ASMore threats fromChinanet TELNETMore threats targetingTELNET SSHMore threats targetingSSH HTTPMore threats targetingHTTP HTTPSMore threats targetingHTTPS DOCKERMore threats targetingDOCKER { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
125.104.133.35	36%	6
118.122.255.5	45%	189
219.144.16.16	51%	274
222.186.68.153	52%	328
61.184.173.26	81%	5,927

IP Address	Confidence	Events
14.103.114.227	100%	991
106.12.148.252	65%	629
117.191.83.250	54%	370
14.103.79.220	100%	121
123.138.237.110	70%	43