Check an IP Address, Domain Name, Subnet, or ASN

159.223.43.21 was found in our database!

$ whois 159.223.43.21

country·🇸🇬 Singapore

city·Singapore

isp·DigitalOcean, LLC

asn·AS14061

network·Standard

$ sikker risk 159.223.43.21scoring →

confidence

100%Very High

first_seen·Jan 21, 2026

last_seen·1h ago

first_reported·Mar 1, 2026

last_reported·7d ago

sessions·249

events·1,124

reports·3

$ sikker protocols 159.223.43.21

HTTP

8 / 384

HTTPS

6 / 249

SSH

114 / 182 / 3r

DOCKER

101 / 181

TELNET

20 / 128

$ sikker summary 159.223.43.21

159.223.43.21 has a threat confidence score of 100%. This IP address from Singapore (AS14061, DigitalOcean, LLC) has been observed in 249 honeypot sessions and reported 3 times targeting HTTP, HTTPS, SSH, DOCKER, TELNET protocols. Detected attack patterns include docker remote exec via api, http mass web rce exploitation scanning. First observed on January 21, 2026, most recently active March 20, 2026.

$ sikker behaviors 159.223.43.21catalog →

highDocker Remote Exec Via Api17x

Attacker interaction with an exposed Docker Engine API resulting in container enumeration followed by remote command execution inside running containers. The sequence of GET /containers/json and subsequent POST /containers/{id}/exec and /exec/{id}/start calls represents deliberate hands-on-keyboard activity where the adversary uses the Docker daemon as a control plane to execute commands, deploy payloads, or pivot further within the host environment. This behavior reflects active container abuse observed directly through high-interaction honeypot instrumentation.

highHttp Mass Web Rce Exploitation Scanning6x

Coordinated automated exploitation attempts targeting public-facing web services, including PHPUnit eval-stdin access, PHP-CGI argument injection, Docker API exposure, directory traversal, ThinkPHP invokeFunction abuse, and command execution patterns (wget/curl pipe to shell). Identifies opportunistic bot-driven RCE scanning and framework-specific exploit chaining against internet-exposed applications.

$ sikker primitives 159.223.43.21

docker_post_method303 http_method_get258 http_php_echo_md5_hello_phpunit_marker222 docker_container_exec_path202 docker_get_method101 docker_exec_start_endpoint101 docker_list_containers_endpoint101 ssh_password_authenthication.39 telnet_echo_hex_escape_sequence_output39 telnet_command_sh20 telnet_command_enable20 telnet_command_system20 telnet_wget_sh_no_check_certificate_quiet_stdout_exec20 telnet_command_shell19 http_body_wget_curl_pipe_to_sh_selfrep12 http_thinkphp_invokefunction_call_user_func_array_md512 http_php_shell_exec_base64_decode_cve_2024_4577_attempt12 http_php_cgi_allow_url_include_auto_prepend_input_injection12 https_query_thinkphp_invokefunction_md5_probe10 https_body_wget_curl_pipe_to_sh_apache_selfrep10

$ sikker reports 159.223.43.21submit →

Showing 3 of 3 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 12, 2026, 23:03	Brute Force	SSH	SikkerGuard: 2 blocked packets
User	Mar 3, 2026, 10:40	Brute Force	SSH	SikkerGuard: 4 blocked packets
User	Mar 1, 2026, 16:45	Brute Force	SSH	SikkerGuard: 2 blocked packets

$ sikker related 159.223.43.21

🇸🇬·More threats fromSingapore→AS·More threats fromDigitalOcean, LLC→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→SSH·More threats targetingSSH→DOCK·More threats targetingDOCKER→TELN·More threats targetingTELNET→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
134.122.126.62	80%	11
165.22.60.26	27%	13
159.223.94.92	100%	125
138.68.14.135	43%	83
134.209.2.99	65%	90

IP Address	Confidence	Events
43.134.28.126	95%	1,054
43.134.92.91	96%	878
43.163.3.187	96%	791
43.134.1.142	95%	731
165.154.203.254	97%	854