Check an IP Address, Domain Name, Subnet, or ASN

185.247.137.208 was found in our database!

Confidence Level

80%

Very High?

Geolocation

🇬🇧

United KingdomManchester

ISPDriftnet Ltd

ASNAS211298

Activity Timeline

First seenJan 20, 2026, 11:35 PM

Last seen1h ago

291Sessions

352Events

Protocol Breakdown

POSTGRES

79 / 81

HTTPS

50 / 76

MSSQL

49 / 49

SIP

30 / 37

SMTP

27 / 36

REDIS

21 / 33

IMAP

16 / 17

MONGODB

3 / 6

SMB

4 / 4

RTSP

4 / 4

DOCKER

4 / 4

SSH

2 / 2

TELNET

1 / 2

ELASTICSEARCH

1 / 1

185.247.137.208 has a threat confidence score of 80%. This IP address from United Kingdom (AS211298, Driftnet Ltd) has been observed in 291 honeypot sessions targeting POSTGRES, HTTPS, MSSQL, SIP, SMTP and 9 other protocols. First observed on January 20, 2026, most recently active March 12, 2026.

Behaviors

Classified behavioral patterns observed

Rtsp Options Probe

low1x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

Redis Info Command Invocation

info6x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

Https Root Path Request

info2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Smtp Tls Capability Probe

info1x

Automated SMTP interaction performing a minimal capability check by issuing EHLO followed by a STARTTLS upgrade request and immediately terminating the session. This pattern is commonly associated with internet-wide scanners, security research crawlers, or opportunistic bots verifying whether an SMTP service supports encrypted communication. The absence of authentication attempts or message submission indicates reconnaissance or service fingerprinting rather than active abuse.

Mongodb Handshake Fingerprint

info1x

Client performs a modern MongoDB handshake using the hello command followed by a buildinfo request to gather server capabilities and version details. This sequence is commonly associated with automated fingerprinting or discovery activity against exposed MongoDB instances rather than normal application queries.

Primitives

Individual actions observed

Redis Info Lowercase6 Mongodb Hello4 Docker Get Method4 Mongodb Buildinfo4 Smtp Ehlo Greeting4 Https Path Root2 Elastic Http Get Request2 Smtp Starttls Upgrade Request2 Rtsp Options1 Elastic Root Path Probe1 Elastic Cluster Stats Request1

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
2a06:4883:1000::8	51%	128
2a06:4882:d000::ed	65%	133
2a06:4882:1000::e	64%	160
185.247.137.25	82%	379
2a06:4883:d000::e0	67%	143

IP Address	Confidence	Events
2a06:4883:1000::8	51%	128
64.89.163.164	100%	2,730
159.65.26.243	100%	2,338
5.181.124.12	100%	150
64.227.39.192	100%	1,171