Check an IP Address, Domain Name, Subnet, or ASN

20.106.48.199 was found in our database!

$ whois 20.106.48.199

country·🇺🇸 United States

city·Des Moines

isp·Microsoft Corporation

asn·AS8075

network·Standard

$ sikker risk 20.106.48.199scoring →

confidence

74%High

first_seen·Jan 21, 2026

last_seen·1h ago

first_reported·Mar 22, 2026

last_reported·7h ago

sessions·79

events·133

reports·1

$ sikker protocols 20.106.48.199

HTTPS

34 / 61

TELNET

10 / 16

MONGODB

8 / 10

SSH

4 / 7

HTTP

3 / 7

RDP

6 / 6

SMTP

2 / 6

SMB

4 / 5

ELASTICSEARCH

2 / 4

SIP

1 / 3

REDIS

1 / 3

POSTGRES

2 / 3

MSSQL

2 / 2

DOCKER

0 / 0 / 1r

$ sikker summary 20.106.48.199

20.106.48.199 has a threat confidence score of 74%. This IP address from United States (AS8075, Microsoft Corporation) has been observed in 79 honeypot sessions and reported 1 times targeting HTTPS, TELNET, MONGODB, SSH, HTTP and 9 other protocols. First observed on January 21, 2026, most recently active March 22, 2026.

$ sikker behaviors 20.106.48.199catalog →

lowRedis Info Reconnaissance1x

The client authenticated to a Redis service and executed the INFO command (info / redis_info_lowercase) without attempting configuration changes, data access, or command execution. The INFO command retrieves server metadata including version, role (master/replica), connected clients, memory usage, persistence settings, and replication status. This behavior is consistent with automated reconnaissance activity where a bot validates exposure, fingerprints the Redis instance, and determines whether it is a viable target for follow-up exploitation (e.g., replication abuse, module loading, or persistence manipulation). No destructive or modification activity was observed in this session.

infoHttp Root Path Request1x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 20.106.48.199

smtp_ehlo_greeting3 elastic_http_get_request3 elastic_http_bad_request_path_probe2 http_method_get1 https_path_root1 redis_info_lowercase1 elastic_root_path_probe1

$ sikker reports 20.106.48.199submit →

Showing 1 of 1 report from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 22, 2026, 24:22	Brute Force	DOCKER	SikkerGuard: 2 blocked packets

$ sikker related 20.106.48.199

Report IP WHOIS Lookup →

IP Address	Confidence	Events
20.169.105.85	86%	121
20.102.112.104	82%	1,587
20.255.61.0	100%	312
172.172.186.3	100%	185
20.83.165.140	49%	31

IP Address	Confidence	Events
66.132.172.46	82%	30
208.68.37.118	73%	71
65.49.1.160	51%	71
68.68.101.178	92%	4,198
181.215.65.49	85%	2,748