Check an IP Address, Domain Name, Subnet, or ASN

163.5.102.2 was found in our database!

$ whois 163.5.102.2

country·🇫🇷 France

isp·NTT America, Inc.

asn·AS2914

network·Standard

$ sikker risk 163.5.102.2scoring →

confidence

99%Very High

first_seen·Apr 17, 2026

last_seen·1h ago

sessions·16

events·16

$ sikker protocols 163.5.102.2

MYSQL

16 / 16

$ sikker summary 163.5.102.2

163.5.102.2 has a threat confidence score of 99%. This IP address from France (AS2914, NTT America, Inc.) has been observed in 16 honeypot sessions targeting MYSQL protocols. Detected attack patterns include mysql ransom extortion workflow, mysql targeted database destruction, mysql pre extortion valuation and ransom drop and 1 more. First observed on April 17, 2026, most recently active April 17, 2026.

$ sikker behaviors 163.5.102.2catalog →

very_highMysql Ransom Extortion Workflow1x

Performs a coordinated sequence of MySQL actions to create and select a ransom-themed database and table, insert extortion markers, and explicitly manage transactions, clearly signaling database compromise and intent to extort the owner

very_highMysql Targeted Database Destruction1x

Explicitly disables autocommit, then deliberately drops multiple named databases and commits the transaction, indicating intentional and controlled destructive activity against specific MySQL databases rather than reconnaissance or misconfiguration.

very_highMysql Pre Extortion Valuation And Ransom Drop1x

Performs a structured MySQL extortion workflow that first disables autocommit and calculates database size via information_schema to assess data value, then enumerates tables, creates a ransom table, inserts explicit extortion messages with payment instructions, and commits the transaction—clearly indicating intentional database extortion following valuation.

highMysql Ransomware Database Staging1x

Adversary creates and switches to a newly generated database, creates ransom-related tables, inserts ransom marker content, and commits transactional changes while optionally disabling autocommit. The sequence includes table enumeration and structured write operations indicative of database-level ransomware staging or defacement activity intended to persist extortion instructions or disrupt normal data availability.

lowMysql Transaction Manipulation Probe5x

Disables MySQL autocommit mode without performing any follow-up actions, indicating an initial transaction manipulation probe or a failed/aborted attempt to prepare multi-step database operations. Often seen in low-confidence automation or disrupted attack flows.

$ sikker primitives 163.5.102.2

mysql_disable_autocommit14 mysql_insert_ransom_marker8 mysql_use_database6 sql_commit_transaction6 mysql_calculate_database_size6 mysql_create_ransom_table4 mysql_drop_database3 sql_enumerate_tables3 sql_enumerate_tables_capital2 mysql_use_ransom_database1 mysql_create_ransom_database1

$ sikker related 163.5.102.2

🇫🇷·More threats fromFrance→AS·More threats fromNTT America, Inc.→MYSQ·More threats targetingMYSQL→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
216.167.92.154	95%	22
216.167.38.97	23%	1
216.167.35.4	48%	3
216.167.38.207	76%	2
216.167.32.116	79%	3

IP Address	Confidence	Events
137.74.16.111	88%	395
51.83.143.139	89%	98,725
54.38.41.116	85%	47,253
185.187.169.232	95%	1,873
157.173.98.164	83%	953