Check an IP Address, Domain Name, Subnet, or ASN

20.14.95.138 was found in our database!

$ whois 20.14.95.138

country·🇺🇸 United States

city·Phoenix

isp·Microsoft Corporation

asn·AS8075

network·Standard

$ sikker risk 20.14.95.138scoring →

confidence

89%Very High

first_seen·Jan 20, 2026

last_seen·1h ago

first_reported·Mar 3, 2026

last_reported·Mar 10, 2026

sessions·168

events·202

reports·2

$ sikker protocols 20.14.95.138

HTTPS

59 / 69

SMTP

12 / 23

SSH

20 / 21

HTTP

12 / 16 / 1r

SMB

10 / 11

ELASTICSEARCH

11 / 11

MONGODB

5 / 9

IMAP

8 / 8

POSTGRES

6 / 7

DOCKER

4 / 6 / 1r

TELNET

6 / 6

FTP

4 / 4

RDP

4 / 4

SIP

4 / 4

MSSQL

2 / 2

REDIS

1 / 1

$ sikker summary 20.14.95.138

20.14.95.138 has a threat confidence score of 89%. This IP address from United States (AS8075, Microsoft Corporation) has been observed in 168 honeypot sessions and reported 2 times targeting HTTPS, SMTP, SSH, HTTP, SMB and 11 other protocols. First observed on January 20, 2026, most recently active April 19, 2026.

$ sikker behaviors 20.14.95.138catalog →

lowHttps Path Developmentserver Metadatauploader Probe1x

HTTPS request to /developmentserver/metadatauploader.

infoHttp Root Path Request6x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request4x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoFtp Tls Upgrade2x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

infoHttp Http Method Get2x

HTTP request using GET method.

infoDocker Invalid Protocol Probe1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

$ sikker primitives 20.14.95.138

elastic_http_get_request11 http_method_get7 elastic_http_bad_request_path_probe7 smtp_ehlo_greeting6 https_path_root4 docker_get_method3 ftp_auth_tls2 redis_info_lowercase1 http_path_bad_request1 docker_bad_request_uri1 https_path_developmentserver_metadatauploader1

$ sikker reports 20.14.95.138submit →

Showing 2 of 2 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 10, 2026, 02:04	Brute Force	HTTP	SikkerGuard: 2 blocked packets
User	Mar 3, 2026, 22:40	Brute Force	DOCKER	SikkerGuard: 2 blocked packets

$ sikker related 20.14.95.138

Report IP WHOIS Lookup →

IP Address	Confidence	Events
20.64.105.215	76%	243
20.65.193.67	78%	217
20.163.33.221	85%	191
20.29.23.94	77%	200
20.163.10.187	93%	281

IP Address	Confidence	Events
20.65.193.254	91%	199
185.218.138.28	97%	19,479
199.45.154.134	49%	521
185.218.138.17	97%	23,569
3.131.220.121	100%	28,494