Check an IP Address, Domain Name, Subnet, or ASN

191.5.48.172 was found in our database!

$ whois 191.5.48.172

country·🇧🇷 Brazil

city·Medianeira

isp·VIAR TELECOMUNICACOES LTDA

asn·AS263532

network·Standard

$ sikker risk 191.5.48.172scoring →

confidence

100%Very High

first_seen·Feb 16, 2026

last_seen·1h ago

first_reported·Mar 17, 2026

last_reported·6d ago

sessions·54

events·54

reports·1

$ sikker protocols 191.5.48.172

TELNET

54 / 54 / 1r

$ sikker summary 191.5.48.172

191.5.48.172 has a threat confidence score of 100%. This IP address from Brazil (AS263532, VIAR TELECOMUNICACOES LTDA) has been observed in 54 honeypot sessions and reported 1 times targeting TELNET protocols. Detected attack patterns include telnet busybox shell activation with capability check, telnet shell escalation with busybox execution attempt, telnet busybox multi method payload retrieval and execution. First observed on February 16, 2026, most recently active March 24, 2026.

$ sikker behaviors 191.5.48.172catalog →

highTelnet Busybox Shell Activation With Capability Check34x

Identifies a Telnet session where BusyBox is leveraged to activate or access a shell environment (sh, shell, system, linuxshell, enable) followed by command capability validation (ping). This pattern reflects deliberate shell breakout and execution-context validation commonly observed in IoT botnets and embedded Linux compromise workflows. The presence of multiple shell invocation variants combined with BusyBox applet usage indicates adaptive execution logic rather than incidental command usage.

highTelnet Shell Escalation With Busybox Execution Attempt8x

Telnet session exhibiting privilege escalation and shell breakout commands (enable, system, shell, sh) followed by execution of /bin/busybox with a non-standard or arbitrary applet name. The sequence indicates an attempt to escape restricted CLI environments and execute a staged or randomly named payload via BusyBox. The presence of an unknown BusyBox applet strongly suggests automated bot deployment logic rather than legitimate administrative activity.

highTelnet Busybox Multi Method Payload Retrieval And Execution1x

Identifies a Telnet session where an attacker leverages BusyBox utilities to retrieve a remote payload using one or more file transfer mechanisms (e.g., wget, curl, ftpget, or tftp) followed by execution of the downloaded script via sh. This pattern is consistent with IoT botnet propagation and automated malware deployment.

$ sikker primitives 191.5.48.172

telnet_command_sh87 telnet_command_shell49 telnet_busybox_unknown_applet_invocation49 telnet_command_system47 telnet_command_enable43 telnet_command_ping35 telnet_command_linuxshell35 telnet_busybox_wget_execution1 telnet_sh_execute_downloaded_script1 telnet_busybox_ftpget_remote_file_download1 telnet_busybox_tftp_get_remote_file_stdout1 telnet_curl_remote_script_stdout_execution1

$ sikker reports 191.5.48.172submit →

Showing 1 of 1 report from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 17, 2026, 22:47	Brute Force	TELNET	SikkerGuard: 2 blocked packets

$ sikker related 191.5.48.172

🇧🇷·More threats fromBrazil→AS·More threats fromVIAR TELECOMUNICACOES LTDA→TELN·More threats targetingTELNET→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
177.153.39.81	75%	3
45.178.227.0	76%	1,448
200.227.84.242	60%	1,091
152.32.197.159	82%	189
201.71.157.40	39%	249