Check an IP Address, Domain Name, Subnet, or ASN

185.180.141.12 was found in our database!

$ whois 185.180.141.12

country·🇵🇹 Portugal

isp·Zenlayer Inc

asn·AS21859

network·Standard

$ sikker risk 185.180.141.12scoring →

confidence

100%Very High

first_seen·Jan 20, 2026

last_seen·13m ago

first_reported·Feb 26, 2026

last_reported·Feb 26, 2026

sessions·736

events·767

reports·1

$ sikker protocols 185.180.141.12

HTTPS

232 / 247

IMAP

217 / 217

FTP

58 / 58 / 1r

SIP

52 / 52

TELNET

31 / 35

RDP

34 / 34

SMB

26 / 26

HTTP

21 / 21

RTSP

16 / 16

REDIS

11 / 16

WINRM

6 / 13

POSTGRES

12 / 12

DOCKER

7 / 7

MONGODB

5 / 5

ELASTICSEARCH

5 / 5

SSH

3 / 3

$ sikker summary 185.180.141.12

185.180.141.12 has a threat confidence score of 100%. This IP address from Portugal (AS21859, Zenlayer Inc) has been observed in 736 honeypot sessions and reported 1 times targeting HTTPS, IMAP, FTP, SIP, TELNET and 11 other protocols. First observed on January 20, 2026, most recently active April 18, 2026.

$ sikker behaviors 185.180.141.12catalog →

mediumRdp Legacy Plaintext Authentication Attempt14x

Identifies RDP clients attempting authentication using the legacy RDP security mode where credentials are exchanged through the older RDP security layer instead of Network Level Authentication (NLA). This indicates the client negotiated legacy plaintext authentication during the RDP security handshake

mediumRtsp Stream Attempt Minus Teardown12x

Client performs a full RTSP interaction sequence — OPTIONS, DESCRIBE, SETUP, and PLAY — indicating an attempt to initialize and access a media stream. This pattern reflects active interaction with a streaming service rather than simple probing, and is commonly seen when automated tools or unauthorized clients try to view exposed camera or RTSP feeds.

mediumJsonrpc Initialize Via Http Get Gitmc11x

Identifies JSON-RPC initialize requests from the gitmc-org-mcp-scanner client delivered via HTTP GET, indicating automated scanning activity using a non-standard transport method for JSON-RPC initialization.

mediumHttps Mcp Endpoint Scanner Gitmc7x

Automated MCP endpoint scanning over HTTPS using JSON-RPC initialize requests from gitmc-org-mcp-scanner, combined with probing of /mcp and /sse endpoints.

mediumSip Request Uri Sip Nm1x

SIP request using sip:nm as the Request-URI, a malformed or placeholder target commonly observed in SIP scanning and fuzzing activity rather than legitimate client behavior.

lowRtsp Options Probe3x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

infoFtp Tls Upgrade22x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

infoHttp Root Path Request9x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttp Http Method Get3x

HTTP request using GET method.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 185.180.141.12

rtsp_setup24 ftp_auth_tls22 http_method_get20 rtsp_options16 rdp_legacy_plaintext_authenthication14 rtsp_play12 rtsp_describe12 http_body_jsonrpc_gitmc_mcp_initialize11 docker_get_method10 elastic_http_get_request9 docker_post_method7 https_path_mcp_root_access7 https_path_sse_root_access7 https_jsonrpc_initialize_gitmc_mcp_scanner7 ftp_control_channel_binary_payload5 redis_info_uppercase2 mongodb_hello_command2 elastic_root_path_probe2 https_favicon_ico_request2 elastic_http_favicon_path_probe2

$ sikker reports 185.180.141.12submit →

Showing 1 of 1 report from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Feb 26, 2026, 17:46	Brute Force	FTP	SikkerGuard: 28 blocked packets

$ sikker related 185.180.141.12

Report IP WHOIS Lookup →

IP Address	Confidence	Events
109.105.210.59	94%	390
109.105.210.57	100%	856
109.105.210.60	81%	346
185.180.141.7	100%	857
185.180.141.10	92%	346

IP Address	Confidence	Events
185.180.141.13	82%	301
185.180.141.14	78%	335
185.180.141.15	82%	309
109.105.210.59	94%	390
109.105.210.57	100%	856