Check an IP Address, Domain Name, Subnet, or ASN

140.210.136.209 was found in our database!

$ whois 140.210.136.209

country·🇨🇳 China

city·Shanghai

isp·China Unicom

asn·AS138421

network·Standard

$ sikker risk 140.210.136.209scoring →

confidence

98%Very High

first_seen·Mar 7, 2026

last_seen·16d ago

sessions·27

events·27

$ sikker protocols 140.210.136.209

SSH

27 / 27

$ sikker summary 140.210.136.209

140.210.136.209 has a threat confidence score of 98%. This IP address from China (AS138421, China Unicom) has been observed in 27 honeypot sessions targeting SSH protocols. Detected attack patterns include ssh authorized keys persistence established, ssh interactive environment profiling with access consolidation, ssh automated post compromise recon and persistence chain. First observed on March 7, 2026, most recently active March 10, 2026.

$ sikker behaviors 140.210.136.209catalog →

very_highSsh Authorized Keys Persistence Established2x

Removal of filesystem attribute protections from the user’s .ssh directory followed by deletion and recreation of the directory and insertion of a new public key into authorized_keys. This pattern reflects deliberate modification of SSH trust configuration to establish persistent key-based access.

very_highSsh Interactive Environment Profiling With Access Consolidation2x

Identifies an SSH session performing multi-method system profiling (CPU model extraction, memory and disk inspection, active user/process monitoring), followed by SSH key replacement and password update indicative of interactive access validation and consolidation rather than single-shot automated takeover.

very_highSsh Automated Post Compromise Recon And Persistence Chain1x

Identifies an SSH session performing comprehensive automated host reconnaissance (CPU, memory, disk, processes, users), followed by credential modification and SSH key manipulation consistent with scripted post-compromise takeover and persistence establishment.

$ sikker primitives 140.210.136.209

ssh_authorized_keys_replacement_home5 unix_home_ssh_directory_attribute_modification_attempt5 ssh_uname_all3 ssh_whoami_user_identity3 ssh_uname_basic_invocation3 ssh_lscpu_model_field_filter3 ssh_cpuinfo_name_count_via_wc3 ssh_crontab_list_current_user3 ssh_uname_machine_architecture3 ssh_cpuinfo_model_name_line_count3 ssh_w_logged_in_users_enumeration3 ssh_free_mem_multi_field_extraction_mb3 ssh_df_head_second_line_field_extraction3 ssh_cpuinfo_model_field_subset_extraction3 ssh_top_interactive_process_monitor_invocation3 ssh_ls_binary_path_resolution_and_metadata_listing3 ssh_chpasswd_password_update_via_echo_pipe2 ssh_script_cleanup_process_kill_and_hosts_deny_clear2 ssh_passwd_stdin_password_change_pipeline1 ssh_passwd_noninteractive_stdin_password_change1

$ sikker related 140.210.136.209

🇨🇳·More threats fromChina→AS·More threats fromChina Unicom→SSH·More threats targetingSSH→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
116.63.205.218	100%	390
114.67.122.142	28%	11
140.210.153.88	23%	1
114.67.110.59	35%	3
112.64.113.71	42%	2

IP Address	Confidence	Events
113.249.107.31	77%	30
139.224.112.216	83%	14,402
223.94.45.50	98%	207
112.255.149.170	100%	22
140.249.22.89	100%	985