Check an IP Address, Domain Name, Subnet, or ASN

128.14.226.191 was found in our database!

$ whois 128.14.226.191

country·🇺🇸 United States

city·Los Angeles

isp·UCLOUD INFORMATION TECHNOLOGY HK LIMITED

asn·AS135377

network·Standard

$ sikker risk 128.14.226.191scoring →

confidence

100%Very High

first_seen·Jan 21, 2026

last_seen·3d ago

first_reported·Apr 28, 2026

last_reported·12h ago

sessions·491

events·1,083

reports·5

$ sikker protocols 128.14.226.191

FTP

30 / 455

HTTP

98 / 160

HTTPS

76 / 141

IMAP

101 / 101

SMTP

74 / 74

RTSP

21 / 42

SIP

26 / 38

SSH

24 / 24 / 1r

REDIS

17 / 17

TELNET

8 / 12

MYSQL

6 / 9

POSTGRES

8 / 8

ELASTICSEARCH

2 / 2

$ sikker summary 128.14.226.191

128.14.226.191 has a threat confidence score of 100%. This IP address from United States (AS135377, UCLOUD INFORMATION TECHNOLOGY HK LIMITED) has been observed in 491 honeypot sessions and reported 5 times targeting FTP, HTTP, HTTPS, IMAP, SMTP and 8 other protocols. First observed on January 21, 2026, most recently active May 10, 2026.

$ sikker behaviors 128.14.226.191catalog →

mediumSip Request Uri Sip Nm6x

SIP request using sip:nm as the Request-URI, a malformed or placeholder target commonly observed in SIP scanning and fuzzing activity rather than legitimate client behavior.

mediumFtp Authenticated Session Establishment1x

FTP session where a client probes for valid usernames, attempts authentication, switches to ASCII mode, and enters passive mode without performing explicit file listing or transfer operations. This reflects a completed login and session setup sequence, often observed during credential validation or preparatory access prior to further activity.

mediumFtp Financial Partner Directory Enumeration1x

FTP session where the client authenticates and performs repeated passive-mode directory listings while navigating directly into finance, HR, partner, vendor, and release paths such as /data/finance, /data/hr, /partners, and /pub/*, indicating targeted discovery of business-sensitive storage locations.

lowMysql Schema Discovery Bot4x

Automated reconnaissance behavior that performs a basic enumeration of accessible MySQL databases to identify available schemas and infer hosted applications or data presence. Often used as an initial validation step to confirm database access and assess whether further enumeration or extraction is worthwhile.

lowFtp Control Channel Protocol Anomaly4x

FTP session where an empty control-channel command is observed in conjunction with non-printable binary data on the control channel. This pattern reflects malformed or non-FTP-compliant input, commonly seen during TLS handshake attempts on plaintext endpoints, protocol confusion, or automated scanner misfires.

infoHttp Root Path Request10x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttp Http Method Get9x

HTTP request using GET method.

infoHttp Fetch Robots Txt4x

HTTP GET request to /robots.txt.

infoHttps Root Path Request2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoRedis Info Command Invocation2x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

$ sikker primitives 128.14.226.191

elastic_root_path_probe50 ftp_set_ascii_mode22 ftp_enter_passive_mode22 ftp_list_directory21 ftp_change_working_directory20 elastic_http_get_request18 ftp_control_channel_binary_payload17 http_method_get16 empty_ftp_command12 sip_request_uri_sip_nm6 smtp_ehlo_greeting5 ftp_user_probe4 mysql_show_databases4 http_robots_txt_path_probe4 smtp_starttls_upgrade_request4 elastic_cat_indices_enumeration4 http_path_config_json3 ftp_auth_tls2 https_path_root2 ftp_help_request2

$ sikker reports 128.14.226.191submit →

Showing 5 of 5 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
Anonymous	May 10, 2026, 05:39	Brute Force	—	SikkerGuard: 2 blocked packets
Anonymous	May 5, 2026, 14:34	Brute Force	—	SikkerGuard: 2 blocked packets
Anonymous	May 4, 2026, 16:03	Brute Force	—	SikkerGuard: 2 blocked packets
Anonymous	May 1, 2026, 05:31	Brute Force	—	SikkerGuard: 2 blocked packets
Anonymous	Apr 28, 2026, 07:00	Brute Force	SSH	SikkerGuard: 2 blocked packets

$ sikker related 128.14.226.191

Report IP WHOIS Lookup →

IP Address	Confidence	Events
123.58.213.128	100%	480
23.91.97.213	100%	334
118.26.36.242	94%	386
165.154.17.24	94%	1,597
165.154.22.233	100%	652

IP Address	Confidence	Events
72.167.225.241	76%	10,624
72.47.208.90	80%	6
173.239.254.90	85%	669
155.138.210.119	67%	832
192.111.129.146	37%	417