Check an IP Address, Domain Name, Subnet, or ASN

20.64.104.62 was found in our database!

$ whois 20.64.104.62

country·🇺🇸 United States

city·San Antonio

isp·Microsoft Corporation

asn·AS8075

network·Standard

$ sikker risk 20.64.104.62scoring →

confidence

73%High

first_seen·Jan 21, 2026

last_seen·1h ago

sessions·93

events·129

$ sikker protocols 20.64.104.62

HTTPS

29 / 34

HTTP

11 / 24

FTP

8 / 14

SSH

6 / 9

ELASTICSEARCH

8 / 8

IMAP

7 / 7

SMB

6 / 6

TELNET

4 / 6

REDIS

2 / 5

SIP

2 / 4

SMTP

4 / 4

DOCKER

2 / 4

MSSQL

2 / 2

POSTGRES

2 / 2

$ sikker summary 20.64.104.62

20.64.104.62 has a threat confidence score of 73%. This IP address from United States (AS8075, Microsoft Corporation) has been observed in 93 honeypot sessions targeting HTTPS, HTTP, FTP, SSH, ELASTICSEARCH and 9 other protocols. First observed on January 21, 2026, most recently active March 20, 2026.

$ sikker behaviors 20.64.104.62catalog →

lowRedis Mglndd Campaign Activity1x

Redis session where the client presents the MGLNDD-prefixed identifier (for example MGLNDD_[ip]_6379) within the connection metadata, indicating activity from a specific automated Redis scanning framework. The behavior is triggered by the previously defined primitive detecting this exact tag pattern and groups sessions attributed to that tooling. The behavior reflects identifiable automated access rather than standard Redis client usage and does not assume additional commands beyond the observable identifier.

infoHttp Root Path Request3x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoHttp Bad Request Route Probe1x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

infoDocker Invalid Protocol Probe1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

$ sikker primitives 20.64.104.62

elastic_http_get_request10 http_method_get4 elastic_http_bad_request_path_probe4 smtp_ehlo_greeting2 https_path_root1 docker_get_method1 http_path_bad_request1 docker_bad_request_uri1 elastic_root_path_probe1 redis_mglndd_client_identifier_tag1

$ sikker related 20.64.104.62

Report IP WHOIS Lookup →

IP Address	Confidence	Events
20.102.112.104	82%	749
172.174.72.225	100%	736
20.29.57.244	57%	81
20.29.22.204	50%	77
20.98.166.120	57%	92

IP Address	Confidence	Events
45.79.181.251	93%	1,765
45.205.1.20	54%	14
185.238.231.181	85%	1,381
195.184.76.66	59%	85
45.131.194.105	85%	1,383