Check an IP Address, Domain Name, Subnet, or ASN

172.202.49.251 was found in our database!

$ whois 172.202.49.251

country·🇺🇸 United States

city·Des Moines

isp·Microsoft Corporation

asn·AS8075

network·Standard

$ sikker risk 172.202.49.251scoring →

confidence

86%Very High

first_seen·Jan 22, 2026

last_seen·1h ago

sessions·115

events·154

$ sikker protocols 172.202.49.251

HTTPS

29 / 33

HTTP

13 / 24

SMTP

10 / 18

MONGODB

10 / 16

IMAP

8 / 10

SIP

5 / 9

TELNET

6 / 8

RDP

6 / 6

SMB

6 / 6

DOCKER

6 / 6

POSTGRES

5 / 5

ELASTICSEARCH

5 / 5

SSH

2 / 3

FTP

2 / 2

REDIS

1 / 2

MSSQL

1 / 1

$ sikker summary 172.202.49.251

172.202.49.251 has a threat confidence score of 86%. This IP address from United States (AS8075, Microsoft Corporation) has been observed in 115 honeypot sessions targeting HTTPS, HTTP, SMTP, MONGODB, IMAP and 11 other protocols. First observed on January 22, 2026, most recently active April 14, 2026.

$ sikker behaviors 172.202.49.251catalog →

mediumSip Call Id Token At Ip1x

SIP activity where the Call-ID follows a token@IP format, a pattern commonly generated by automated scanners and SIP tooling rather than standard client implementations, indicating non-human or enumeration-driven behavior.

lowRedis Info Reconnaissance1x

The client authenticated to a Redis service and executed the INFO command (info / redis_info_lowercase) without attempting configuration changes, data access, or command execution. The INFO command retrieves server metadata including version, role (master/replica), connected clients, memory usage, persistence settings, and replication status. This behavior is consistent with automated reconnaissance activity where a bot validates exposure, fingerprints the Redis instance, and determines whether it is a viable target for follow-up exploitation (e.g., replication abuse, module loading, or persistence manipulation). No destructive or modification activity was observed in this session.

lowHttps Path Developmentserver Metadatauploader Probe1x

HTTPS request to /developmentserver/metadatauploader.

infoHttp Root Path Request4x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttp Http Method Get2x

HTTP request using GET method.

infoHttp Bad Request Route Probe2x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 172.202.49.251

elastic_http_get_request7 http_method_get6 docker_get_method6 smtp_ehlo_greeting4 elastic_http_bad_request_path_probe4 http_path_bad_request2 elastic_root_path_probe2 https_path_root1 redis_info_lowercase1 sip_call_id_token_at_ip1 https_path_developmentserver_metadatauploader1

$ sikker related 172.202.49.251

Report IP WHOIS Lookup →

IP Address	Confidence	Events
52.177.119.222	95%	46
20.46.244.172	89%	164
20.29.24.90	89%	219
52.255.183.238	96%	27
20.65.194.16	87%	215

IP Address	Confidence	Events
185.218.138.27	97%	16,899
50.217.40.11	50%	488
98.110.234.182	80%	397
66.132.195.50	99%	292
44.201.165.173	75%	64