Check an IP Address, Domain Name, Subnet, or ASN

116.1.149.196 was found in our database!

$ whois 116.1.149.196

country·🇨🇳 China

isp·Chinanet

asn·AS4134

network·Standard

$ sikker risk 116.1.149.196scoring →

confidence

100%Very High

first_seen·Jan 21, 2026

last_seen·1h ago

sessions·426

events·661

$ sikker protocols 116.1.149.196

SSH

426 / 661

$ sikker summary 116.1.149.196

116.1.149.196 has a threat confidence score of 100%. This IP address from China (AS4134, Chinanet) has been observed in 426 honeypot sessions targeting SSH protocols. Detected attack patterns include ssh authorized keys persistence established, ssh interactive environment profiling with access consolidation, ssh automated post compromise recon and persistence chain. First observed on January 21, 2026, most recently active March 16, 2026.

$ sikker behaviors 116.1.149.196catalog →

very_highSsh Authorized Keys Persistence Established43x

Removal of filesystem attribute protections from the user’s .ssh directory followed by deletion and recreation of the directory and insertion of a new public key into authorized_keys. This pattern reflects deliberate modification of SSH trust configuration to establish persistent key-based access.

very_highSsh Interactive Environment Profiling With Access Consolidation5x

Identifies an SSH session performing multi-method system profiling (CPU model extraction, memory and disk inspection, active user/process monitoring), followed by SSH key replacement and password update indicative of interactive access validation and consolidation rather than single-shot automated takeover.

very_highSsh Automated Post Compromise Recon And Persistence Chain3x

Identifies an SSH session performing comprehensive automated host reconnaissance (CPU, memory, disk, processes, users), followed by credential modification and SSH key manipulation consistent with scripted post-compromise takeover and persistence establishment.

mediumSsh Home Ssh Attribute Protection Removal Attempt1x

Attempts to remove filesystem attribute protections (e.g., immutable flags via chattr -i/-a) from the user’s ~/.ssh directory. This pattern indicates preparatory activity to modify SSH trust configuration, commonly preceding insertion or replacement of authorized_keys for persistence.

$ sikker primitives 116.1.149.196

unix_home_ssh_directory_attribute_modification_attempt53 ssh_authorized_keys_replacement_home52 ssh_uname_all8 ssh_whoami_user_identity8 ssh_uname_basic_invocation8 ssh_lscpu_model_field_filter8 ssh_cpuinfo_name_count_via_wc8 ssh_crontab_list_current_user8 ssh_uname_machine_architecture8 ssh_cpuinfo_model_name_line_count8 ssh_w_logged_in_users_enumeration8 ssh_free_mem_multi_field_extraction_mb8 ssh_df_head_second_line_field_extraction8 ssh_cpuinfo_model_field_subset_extraction8 ssh_top_interactive_process_monitor_invocation8 ssh_ls_binary_path_resolution_and_metadata_listing8 ssh_chpasswd_password_update_via_echo_pipe5 ssh_script_cleanup_process_kill_and_hosts_deny_clear5 ssh_passwd_stdin_password_change_pipeline3 ssh_passwd_noninteractive_stdin_password_change3

$ sikker related 116.1.149.196

🇨🇳·More threats fromChina→AS·More threats fromChinanet→SSH·More threats targetingSSH→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
59.173.111.9	18%	2
223.199.186.42	26%	1
59.52.102.120	18%	2
59.53.166.151	26%	1
124.117.192.57	16%	2

IP Address	Confidence	Events
47.99.50.46	40%	55
115.190.114.135	81%	449
120.48.130.213	100%	891
218.90.138.78	100%	474
14.103.115.115	100%	928