Check an IP Address, Domain Name, Subnet, or ASN

198.235.24.41 was found in our database!

Confidence Level

95%

Very High?

Geolocation

🇺🇸

United States

ISPGoogle LLC

ASNAS396982

Activity Timeline

First seenJan 22, 2026, 07:09 AM

Last seen1h ago

First reportedFeb 26, 2026, 03:45 AM

Last reported4d ago

150Sessions

217Events

3Reports

Protocol Breakdown

HTTP

27 / 39

SMB

27 / 28

FTP

14 / 27

SSH

19 / 24

HTTPS

15 / 21

SIP

8 / 16

IMAP

7 / 11

SMTP

5 / 10

TELNET

6 / 10

RTSP

4 / 7

WINRM

2 / 5

RDP

4 / 4

POP3

1 / 4

MONGODB

4 / 4

MSSQL

3 / 3

ELASTICSEARCH

2 / 2

DOCKER

1 / 1

POSTGRES

1 / 1

198.235.24.41 has a very high threat confidence level of 95%, originating from United States, on the Google LLC network (396982). It has been observed across 150 sessions targeting HTTP, SMB, FTP, SSH, HTTPS and 13 other protocols, First observed on January 22, 2026, most recently active March 12, 2026.

Behaviors

Classified behavioral patterns observed

Rdp Legacy Plaintext Authentication Attempt

medium1x

Identifies RDP clients attempting authentication using the legacy RDP security mode where credentials are exchanged through the older RDP security layer instead of Network Level Authentication (NLA). This indicates the client negotiated legacy plaintext authentication during the RDP security handshake

Rtsp Options Probe

low3x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

Ftp Tls Upgrade

info7x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

Https Root Path Request

info4x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Http Bad Request Route Probe

info4x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

Http Root Path Request

info3x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Docker Invalid Protocol Probe

info1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Primitives

Individual actions observed

Http Method Get9 Ftp Auth Tls7 Http Path Bad Request6 Rtsp Options5 Https Path Root4 Sip Call Id Alphanumeric Entropy4 Elastic Root Path Probe2 Elastic Http Get Request2 Docker Get Method1 Imap Capability Probe1 Docker Bad Request Uri1 Rdp Legacy Plaintext Authenthication1

User Reports

3 reports from 1 contributor

Date	Category	Protocol	Comment
Mar 7, 2026	Brute Force	SSH	SikkerGuard: 2 blocked packets
Mar 4, 2026	Brute Force	SMTP	SikkerGuard: 2 blocked packets
Feb 26, 2026	Brute Force	SSH	SikkerGuard: 2 blocked packets

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
35.203.211.37	70%	138
162.216.149.182	61%	95
35.203.211.136	63%	120
35.222.117.243	100%	866
162.216.149.88	69%	96

IP Address	Confidence	Events
130.12.180.55	88%	27,440
209.222.101.54	100%	48,557
104.236.243.71	100%	954
130.12.180.70	91%	27,186
130.12.180.82	91%	26,150