Check an IP Address, Domain Name, Subnet, or ASN

185.247.137.41 was found in our database!

Confidence Level

83%

Very High?

Geolocation

🇬🇧

United KingdomManchester

ISPDriftnet Ltd

ASNAS211298

Activity Timeline

First seenJan 21, 2026, 11:32 AM

Last seen1h ago

291Sessions

339Events

Protocol Breakdown

MSSQL

72 / 72

POSTGRES

57 / 59

HTTPS

46 / 56

SIP

23 / 31

SMTP

22 / 27

IMAP

21 / 22

REDIS

13 / 21

HTTP

10 / 10

FTP

4 / 9

SMB

8 / 9

SSH

4 / 6

DOCKER

3 / 5

MONGODB

2 / 5

RDP

2 / 2

RTSP

2 / 2

TELNET

1 / 2

ELASTICSEARCH

1 / 1

185.247.137.41 has a threat confidence score of 83%. This IP address from United Kingdom (AS211298, Driftnet Ltd) has been observed in 291 honeypot sessions targeting MSSQL, POSTGRES, HTTPS, SIP, SMTP and 12 other protocols. First observed on January 21, 2026, most recently active March 12, 2026.

Behaviors

Classified behavioral patterns observed

Ftp Capability Enumeration Over Tls

low3x

FTP session where the client upgrades to TLS (AUTH TLS) and proceeds to request server capability information using FEAT, HELP, and SYST before cleanly terminating the session. This pattern indicates structured service and feature enumeration rather than file interaction. The sequence is consistent with automated reconnaissance used to fingerprint FTP server configuration, supported extensions, and implementation details

Rtsp Options Probe

low1x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

Redis Info Command Invocation

info2x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

Http Root Path Request

info1x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Mongodb Handshake Fingerprint

info1x

Client performs a modern MongoDB handshake using the hello command followed by a buildinfo request to gather server capabilities and version details. This sequence is commonly associated with automated fingerprinting or discovery activity against exposed MongoDB instances rather than normal application queries.

Primitives

Individual actions observed

Mongodb Hello4 Mongodb Buildinfo4 Ftp Auth Tls3 Ftp Help Request3 Ftp Session Quit3 Docker Get Method3 Smtp Ehlo Greeting3 Ftp System Type Request3 Ftp Feature List Request3 Redis Info Lowercase2 Elastic Http Get Request2 Smtp Quit Session Termination2 Smtp Starttls Upgrade Request2 Rtsp Options1 Http Method Get1 Elastic Root Path Probe1 Elastic Cluster Stats Request1

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
185.247.137.52	88%	401
185.247.137.148	87%	357
185.247.137.136	88%	378
185.247.137.176	84%	374
87.236.176.134	84%	385

IP Address	Confidence	Events
193.104.222.139	98%	2,953
185.247.137.176	84%	374
87.236.176.134	84%	385
165.227.224.86	100%	1,093
64.227.39.192	100%	1,165