Check an IP Address, Domain Name, Subnet, or ASN

185.247.137.238 was found in our database!

Confidence Level

84%

Very High?

Geolocation

🇬🇧

United KingdomManchester

ISPDriftnet Ltd

ASNAS211298

Activity Timeline

First seenJan 21, 2026, 11:51 AM

Last seen2h ago

316Sessions

381Events

Protocol Breakdown

MSSQL

67 / 67

POSTGRES

63 / 65

HTTPS

46 / 63

SMTP

28 / 50

IMAP

27 / 32

SIP

29 / 31

HTTP

22 / 22

REDIS

8 / 16

FTP

4 / 12

SSH

8 / 8

SMB

4 / 4

TELNET

3 / 4

RTSP

3 / 3

DOCKER

2 / 2

MONGODB

1 / 1

ELASTICSEARCH

1 / 1

185.247.137.238 has a threat confidence score of 84%. This IP address from United Kingdom (AS211298, Driftnet Ltd) has been observed in 316 honeypot sessions targeting MSSQL, POSTGRES, HTTPS, SMTP, IMAP and 11 other protocols. First observed on January 21, 2026, most recently active March 12, 2026.

Behaviors

Classified behavioral patterns observed

Rtsp Options Probe

low2x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

Ftp Capability Enumeration Over Tls

low1x

FTP session where the client upgrades to TLS (AUTH TLS) and proceeds to request server capability information using FEAT, HELP, and SYST before cleanly terminating the session. This pattern indicates structured service and feature enumeration rather than file interaction. The sequence is consistent with automated reconnaissance used to fingerprint FTP server configuration, supported extensions, and implementation details

Http Root Path Request

info3x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Ftp Capability Enumeration

info2x

FTP session where the client issues HELP, SYST, and FEAT commands to query supported commands, system type, and server capabilities before terminating the session.

Redis Info Command Invocation

info1x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

Primitives

Individual actions observed

Smtp Ehlo Greeting16 Smtp Quit Session Termination16 Smtp Starttls Upgrade Request11 Http Method Get4 Ftp Help Request4 Ftp System Type Request4 Ftp Feature List Request4 Ftp Session Quit3 Imap Logout2 Ftp Auth Tls2 Rtsp Options2 Docker Get Method2 Elastic Http Get Request2 Redis Info Lowercase1 Elastic Root Path Probe1 Elastic Cluster Stats Request1

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
2a06:4883:1000::8	51%	128
2a06:4882:d000::ed	65%	133
2a06:4882:1000::e	64%	160
185.247.137.25	82%	379
2a06:4883:d000::e0	67%	143

IP Address	Confidence	Events
2a06:4883:1000::8	51%	128
64.89.163.164	100%	2,730
159.65.26.243	100%	2,338
5.181.124.12	100%	150
64.227.39.192	100%	1,171