Check an IP Address, Domain Name, Subnet, or ASN

185.226.197.28 was found in our database!

$ whois 185.226.197.28

country·🇵🇹 Portugal

isp·Zenlayer Inc

asn·AS21859

network·Standard

$ sikker risk 185.226.197.28scoring →

confidence

81%Very High

first_seen·Jan 25, 2026

last_seen·2h ago

sessions·132

events·162

$ sikker protocols 185.226.197.28

HTTPS

65 / 75

FTP

25 / 31

IMAP

22 / 22

MONGODB

5 / 11

DOCKER

2 / 6

SIP

3 / 5

RTSP

2 / 4

TELNET

4 / 4

HTTP

2 / 2

SMB

1 / 1

SSH

1 / 1

$ sikker summary 185.226.197.28

185.226.197.28 has a threat confidence score of 81%. This IP address from Portugal (AS21859, Zenlayer Inc) has been observed in 132 honeypot sessions targeting HTTPS, FTP, IMAP, MONGODB, DOCKER and 6 other protocols. First observed on January 25, 2026, most recently active March 20, 2026.

$ sikker behaviors 185.226.197.28catalog →

lowRtsp Options Probe2x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

infoFtp Tls Upgrade20x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

infoHttps Root Path Request8x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoHttp Root Path Request2x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoMongodb Serverstatus Discovery1x

Client issues MongoDB serverStatus requests and disconnects shortly after, indicating service inspection rather than active database interaction. This pattern is commonly associated with automated discovery activity where scanners collect runtime metrics or confirm database exposure without performing further queries.

$ sikker primitives 185.226.197.28

ftp_auth_tls23 https_path_root8 rtsp_options4 mongodb_hello3 mongodb_serverstatus3 ftp_auth_ssl2 http_method_get2 docker_get_method1

$ sikker related 185.226.197.28

🇵🇹·More threats fromPortugal→AS·More threats fromZenlayer Inc→HTTP·More threats targetingHTTPS→FTP·More threats targetingFTP→IMAP·More threats targetingIMAP→MONG·More threats targetingMONGODB→DOCK·More threats targetingDOCKER→SIP·More threats targetingSIP→RTSP·More threats targetingRTSP→TELN·More threats targetingTELNET→HTTP·More threats targetingHTTP→SMB·More threats targetingSMB→SSH·More threats targetingSSH→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
45.156.131.23	62%	105
45.156.131.7	84%	2,016
185.226.197.30	76%	161
185.226.197.29	80%	200
185.226.197.27	99%	425

IP Address	Confidence	Events
81.193.216.17	100%	245
45.156.131.23	62%	105
45.156.131.7	84%	2,016
185.226.197.30	76%	161
185.226.197.29	80%	200