Check an IP Address, Domain Name, Subnet, or ASN

185.247.137.252 was found in our database!

$ whois 185.247.137.252

country·🇬🇧 United Kingdom

city·Manchester

isp·Driftnet Ltd

asn·AS211298

network·Standard

$ sikker risk 185.247.137.252scoring →

confidence

82%Very High

first_seen·Jan 20, 2026

last_seen·1h ago

sessions·365

events·431

$ sikker protocols 185.247.137.252

POSTGRES

98 / 102

HTTPS

64 / 79

MSSQL

75 / 75

SIP

22 / 35

HTTP

20 / 30

SMTP

23 / 29

IMAP

25 / 28

REDIS

11 / 17

SMB

8 / 8

DOCKER

3 / 7

SSH

6 / 6

MONGODB

2 / 5

RTSP

1 / 3

ELASTICSEARCH

3 / 3

FTP

2 / 2

TELNET

2 / 2

$ sikker summary 185.247.137.252

185.247.137.252 has a threat confidence score of 82%. This IP address from United Kingdom (AS211298, Driftnet Ltd) has been observed in 365 honeypot sessions targeting POSTGRES, HTTPS, MSSQL, SIP, HTTP and 11 other protocols. First observed on January 20, 2026, most recently active March 21, 2026.

$ sikker behaviors 185.247.137.252catalog →

mediumMongodb Handshake And Version Recon1x

Client performs MongoDB service validation by issuing an initial hello handshake command followed by execution of the buildInfo command against the admin database to retrieve detailed server version and build metadata. This sequence reflects structured deployment fingerprinting and reconnaissance activity commonly associated with automated scanning tools, vulnerability assessment frameworks, or pre-exploitation workflows used to confirm service exposure and identify version-specific attack opportunities.

infoHttp Root Path Request4x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoDocker Invalid Protocol Probe1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

$ sikker primitives 185.247.137.252

http_method_get15 elastic_http_get_request6 docker_get_method5 docker_bad_request_uri3 elastic_root_path_probe3 elastic_cluster_stats_request3 ftp_auth_tls2 ftp_help_request2 ftp_system_type_request2 ftp_feature_list_request2 imap_logout1 https_path_root1 smtp_ehlo_greeting1 mongodb_hello_command1 smtp_starttls_upgrade_request1 mongodb_buildinfo_admin_command1

$ sikker related 185.247.137.252

Report IP WHOIS Lookup →

IP Address	Confidence	Events
185.247.137.216	89%	420
87.236.176.210	95%	432
185.247.137.203	93%	448
185.247.137.211	88%	463
87.236.176.194	91%	460

IP Address	Confidence	Events
194.213.3.5	97%	2,483
193.181.41.14	96%	133
18.135.247.138	66%	1,666
51.89.235.201	89%	54,469
87.236.176.54	93%	360