Check an IP Address, Domain Name, Subnet, or ASN

139.59.0.38 was found in our database!

$ whois 139.59.0.38

country·🇮🇳 India

city·Bengaluru

isp·DigitalOcean, LLC

asn·AS14061

network·Standard

$ sikker risk 139.59.0.38scoring →

confidence

100%Very High

first_seen·Mar 2, 2026

last_seen·4m ago

sessions·453

events·453

$ sikker protocols 139.59.0.38

SSH

299 / 299

TELNET

146 / 146

HTTP

4 / 4

HTTPS

4 / 4

$ sikker summary 139.59.0.38

139.59.0.38 has a threat confidence score of 100%. This IP address from India (AS14061, DigitalOcean, LLC) has been observed in 453 honeypot sessions targeting SSH, TELNET, HTTP, HTTPS protocols. Detected attack patterns include ssh hardened host profiling and shell rc immutability bypass, telnet busybox shell activation with capability check. First observed on March 2, 2026, most recently active March 26, 2026.

$ sikker behaviors 139.59.0.38catalog →

highSsh Hardened Host Profiling And Shell Rc Immutability Bypass294x

Identifies SSH post-auth activity combining resilient multi-source CPU enumeration (explicit /usr/bin/nproc fallback) with removal of the immutable flag from ~/.shellrc via chattr, indicating host profiling followed by shell configuration tampering for persistence preparation.

highTelnet Busybox Shell Activation With Capability Check138x

Identifies a Telnet session where BusyBox is leveraged to activate or access a shell environment (sh, shell, system, linuxshell, enable) followed by command capability validation (ping). This pattern reflects deliberate shell breakout and execution-context validation commonly observed in IoT botnets and embedded Linux compromise workflows. The presence of multiple shell invocation variants combined with BusyBox applet usage indicates adaptive execution logic rather than incidental command usage.

infoHttp Root Path Request2x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 139.59.0.38

unix_chattr_remove_immutable_flag_home_shell_rc294 hardened_cpu_enumeration_with_explicit_nproc_path294 telnet_command_sh278 telnet_command_ping139 telnet_command_shell139 telnet_command_enable139 telnet_command_system139 telnet_command_linuxshell139 telnet_busybox_unknown_applet_invocation138 http_method_get2 https_path_root2

$ sikker related 139.59.0.38

🇮🇳·More threats fromIndia→AS·More threats fromDigitalOcean, LLC→SSH·More threats targetingSSH→TELN·More threats targetingTELNET→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
159.89.198.208	99%	126
128.199.225.7	100%	2,472
104.236.88.138	80%	295
46.101.82.104	81%	330
209.38.18.27	78%	295

IP Address	Confidence	Events
103.78.12.204	12%	12
202.88.241.169	68%	930
139.59.42.255	48%	51
20.219.16.35	95%	1,321
49.205.198.2	95%	1,417