Check an IP Address, Domain Name, Subnet, or ASN

196.115.87.207 was found in our database!

$ whois 196.115.87.207

country·🇲🇦 Morocco

city·Casablanca

isp·ASMedi

asn·AS36925

network·Standard

$ sikker risk 196.115.87.207scoring →

confidence

99%Very High

first_seen·Apr 1, 2026

last_seen·17d ago

sessions·50

events·50

$ sikker protocols 196.115.87.207

HTTP

48 / 48

MYSQL

2 / 2

$ sikker summary 196.115.87.207

196.115.87.207 has a threat confidence score of 99%. This IP address from Morocco (AS36925, ASMedi) has been observed in 50 honeypot sessions targeting HTTP, MYSQL protocols. Detected attack patterns include androxgh0st payload probe, http git repository config exposure probe, http dotenv file exposure probe. First observed on April 1, 2026, most recently active April 2, 2026.

$ sikker behaviors 196.115.87.207catalog →

highAndroxgh0st Payload Probe14x

Identifies HTTP requests containing the androxgh0st payload marker in the request body, indicative of automated exploitation or scanning activity associated with Androxgh0st campaigns targeting exposed web applications and misconfigured services.

highHttp Git Repository Config Exposure Probe3x

Identifies HTTP GET requests targeting /.git/config, indicating attempts to access exposed Git repository configuration files. Successful access may enable repository reconstruction, credential harvesting, or source code disclosure.

highHttp Dotenv File Exposure Probe2x

Identifies HTTP GET requests targeting the /.env file, indicating attempts to access exposed environment configuration files commonly containing application secrets such as database credentials, API keys, and service tokens.

infoHttp Root Path Request21x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

$ sikker primitives 196.115.87.207

http_method_get55 http_body_androxgh0st_marker17 http_path_app_dotenv4 http_path_dotgit_config3 http_path_dotenv2 mysql_show_databases2 mysql_set_names_utf8mb42 mysql_disable_autocommit2 http_path_dotenv_development2 http_phpunit_eval_stdin_php_path_access2

$ sikker related 196.115.87.207

🇲🇦·More threats fromMorocco→AS·More threats fromASMedi→HTTP·More threats targetingHTTP→MYSQ·More threats targetingMYSQL→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
45.216.192.222	46%	7
197.153.58.78	23%	66
197.230.149.202	43%	444
105.188.67.212	28%	1
105.191.8.209	41%	1

IP Address	Confidence	Events
81.192.46.49	100%	1,387
81.192.46.32	100%	556
154.146.238.122	50%	505
154.144.225.226	99%	240
196.92.7.249	100%	220