Check an IP Address, Domain Name, Subnet, or ASN

20.65.194.59 was found in our database!

$ whois 20.65.194.59

country·🇺🇸 United States

city·San Antonio

isp·Microsoft Corporation

asn·AS8075

network·Standard

$ sikker risk 20.65.194.59scoring →

confidence

76%High

first_seen·Jan 20, 2026

last_seen·1h ago

sessions·115

events·160

$ sikker protocols 20.65.194.59

HTTPS

22 / 37

HTTP

13 / 21

FTP

6 / 16

SSH

14 / 16

SMTP

8 / 12

ELASTICSEARCH

11 / 11

SIP

10 / 10

SMB

8 / 8

MONGODB

4 / 8

RDP

6 / 6

IMAP

2 / 4

TELNET

4 / 4

REDIS

2 / 2

DOCKER

2 / 2

POSTGRES

2 / 2

MSSQL

1 / 1

$ sikker summary 20.65.194.59

20.65.194.59 has a threat confidence score of 76%. This IP address from United States (AS8075, Microsoft Corporation) has been observed in 115 honeypot sessions targeting HTTPS, HTTP, FTP, SSH, SMTP and 11 other protocols. First observed on January 20, 2026, most recently active March 22, 2026.

$ sikker behaviors 20.65.194.59catalog →

mediumRedis Mglndd Campaign Activity1x

Authenticated Redis sessions where the source issues a command containing the MGLNDD_[ip]_6379 pattern. The value is transmitted as part of the executed command rather than connection metadata and appears programmatically generated. This behavior groups activity where the previously defined primitive detects the MGLNDD command pattern, reflecting automated Redis interaction observed through honeypot telemetry. No assumptions are made about operator intent beyond the execution of this specific command string.

infoHttp Root Path Request2x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoHttp Bad Request Route Probe1x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

$ sikker primitives 20.65.194.59

elastic_http_get_request17 elastic_http_bad_request_path_probe13 smtp_ehlo_greeting4 http_method_get3 elastic_root_path_probe3 ftp_auth_ssl2 ftp_auth_tls2 docker_get_method2 sip_call_id_token_at_ip2 https_path_root1 http_path_bad_request1 redis_mglndd_client_identifier_tag1

$ sikker related 20.65.194.59

Report IP WHOIS Lookup →

IP Address	Confidence	Events
20.102.112.104	82%	2,004
172.174.250.151	72%	144
20.29.23.176	70%	113
20.64.105.81	78%	147
20.15.160.31	67%	119

IP Address	Confidence	Events
181.215.65.49	85%	3,577
143.198.64.52	67%	79
92.118.39.95	100%	82,098
198.143.191.202	98%	85,501
64.62.197.62	100%	1,782