Check an IP Address, Domain Name, Subnet, or ASN

20.163.2.150 was found in our database!

$ whois 20.163.2.150

country·🇺🇸 United States

city·Phoenix

isp·Microsoft Corporation

asn·AS8075

network·Standard

$ sikker risk 20.163.2.150scoring →

confidence

88%Very High

first_seen·Jan 22, 2026

last_seen·1h ago

first_reported·Feb 26, 2026

last_reported·21d ago

sessions·109

events·138

reports·2

$ sikker protocols 20.163.2.150

HTTPS

37 / 44 / 1r

SMTP

12 / 20

TELNET

8 / 12

FTP

6 / 9 / 1r

POSTGRES

9 / 9

HTTP

6 / 8

ELASTICSEARCH

7 / 7

IMAP

6 / 6

MONGODB

4 / 6

SIP

3 / 5

SMB

4 / 5

SSH

2 / 2

REDIS

2 / 2

DOCKER

2 / 2

MSSQL

1 / 1

$ sikker summary 20.163.2.150

20.163.2.150 has a threat confidence score of 88%. This IP address from United States (AS8075, Microsoft Corporation) has been observed in 109 honeypot sessions and reported 2 times targeting HTTPS, SMTP, TELNET, FTP, POSTGRES and 10 other protocols. First observed on January 22, 2026, most recently active March 20, 2026.

$ sikker behaviors 20.163.2.150catalog →

mediumRedis Mglndd Campaign Activity1x

Authenticated Redis sessions where the source issues a command containing the MGLNDD_[ip]_6379 pattern. The value is transmitted as part of the executed command rather than connection metadata and appears programmatically generated. This behavior groups activity where the previously defined primitive detects the MGLNDD command pattern, reflecting automated Redis interaction observed through honeypot telemetry. No assumptions are made about operator intent beyond the execution of this specific command string.

infoHttp Root Path Request5x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoFtp Tls Upgrade1x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

infoDocker Invalid Protocol Probe1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

$ sikker primitives 20.163.2.150

elastic_http_get_request8 http_method_get5 elastic_http_bad_request_path_probe4 https_path_root2 docker_get_method2 smtp_ehlo_greeting2 ftp_auth_tls1 docker_bad_request_uri1 elastic_root_path_probe1 redis_mglndd_client_identifier_tag1

$ sikker reports 20.163.2.150submit →

Showing 2 of 2 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Feb 26, 2026, 16:16	Brute Force	HTTPS	SikkerGuard: 2 blocked packets
User	Feb 26, 2026, 07:35	Brute Force	FTP	SikkerGuard: 2 blocked packets

$ sikker related 20.163.2.150

Report IP WHOIS Lookup →

IP Address	Confidence	Events
20.102.112.104	78%	246
135.232.201.51	77%	2
52.225.29.7	97%	15
145.132.102.242	92%	7
172.172.87.201	96%	12

IP Address	Confidence	Events
172.172.87.201	95%	10
38.54.50.81	94%	159
198.235.24.70	96%	226
96.0.160.144	87%	17,322
92.118.39.87	100%	249,344