Check an IP Address, Domain Name, Subnet, or ASN

185.226.197.67 was found in our database!

$ whois 185.226.197.67

country·🇵🇹 Portugal

isp·Zenlayer Inc

asn·AS21859

network·Standard

$ sikker risk 185.226.197.67scoring →

confidence

83%Very High

first_seen·Jan 23, 2026

last_seen·2h ago

sessions·98

events·139

$ sikker protocols 185.226.197.67

HTTP

58 / 80

HTTPS

19 / 35

SSH

8 / 10

SMB

4 / 4

ELASTICSEARCH

3 / 3

RDP

2 / 2

TELNET

1 / 2

SIP

1 / 1

REDIS

1 / 1

MONGODB

1 / 1

$ sikker summary 185.226.197.67

185.226.197.67 has a threat confidence score of 83%. This IP address from Portugal (AS21859, Zenlayer Inc) has been observed in 98 honeypot sessions targeting HTTP, HTTPS, SSH, SMB, ELASTICSEARCH and 5 other protocols. First observed on January 23, 2026, most recently active March 19, 2026.

$ sikker behaviors 185.226.197.67catalog →

mediumRdp Legacy Plaintext Authentication Attempt1x

Identifies RDP clients attempting authentication using the legacy RDP security mode where credentials are exchanged through the older RDP security layer instead of Network Level Authentication (NLA). This indicates the client negotiated legacy plaintext authentication during the RDP security handshake

lowElastic Service Validation And Index Enumeration1x

Client first performs a generic request to the Elasticsearch root endpoint to verify service availability, then proceeds to request /_cat/indices. This sequence reflects staged Elasticsearch reconnaissance where the actor validates that the cluster is reachable before attempting index enumeration and data exposure assessment. Compared to direct index enumeration behaviors, the interaction begins with a service-validation step, suggesting adaptive probing rather than immediate Elasticsearch-specific targeting.

infoHttp Root Path Request39x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request3x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoRedis Info Command Invocation1x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

$ sikker primitives 185.226.197.67

http_method_get40 elastic_http_get_request8 https_path_root3 elastic_root_path_probe3 redis_info_lowercase1 elastic_cat_indices_enumeration1 rdp_legacy_plaintext_authenthication1

$ sikker related 185.226.197.67

🇵🇹·More threats fromPortugal→AS·More threats fromZenlayer Inc→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→SSH·More threats targetingSSH→SMB·More threats targetingSMB→ELAS·More threats targetingELASTICSEARCH→RDP·More threats targetingRDP→TELN·More threats targetingTELNET→SIP·More threats targetingSIP→REDI·More threats targetingREDIS→MONG·More threats targetingMONGODB→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
45.156.131.12	84%	1,909
185.226.197.75	70%	244
185.226.197.72	72%	308
45.156.131.7	84%	1,959
109.105.210.102	61%	108

IP Address	Confidence	Events
79.168.139.28	100%	549
45.156.128.129	70%	252
45.156.129.100	99%	520
45.156.131.12	84%	1,909
45.156.129.46	82%	317