Check an IP Address, Domain Name, Subnet, or ASN

20.65.195.117 was found in our database!

Confidence Level

74%

High?

Geolocation

🇺🇸

United StatesSan Antonio

ISPMicrosoft Corporation

ASNAS8075

Activity Timeline

First seenJan 22, 2026, 07:25 AM

Last seen1h ago

108Sessions

144Events

Protocol Breakdown

HTTPS

17 / 26

SMTP

18 / 24

HTTP

15 / 22

FTP

8 / 14

SSH

12 / 12

MONGODB

8 / 12

IMAP

6 / 6

MSSQL

6 / 6

TELNET

4 / 6

SIP

2 / 4

SMB

4 / 4

ELASTICSEARCH

4 / 4

DOCKER

3 / 3

POSTGRES

1 / 1

20.65.195.117 has a high threat confidence level of 74%, originating from San Antonio, United States, on the Microsoft Corporation network (8075). It has been observed across 108 sessions targeting HTTPS, SMTP, HTTP, FTP, SSH and 9 other protocols, First observed on January 22, 2026, most recently active March 11, 2026.

Behaviors

Classified behavioral patterns observed

Http Root Path Request

info2x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Https Root Path Request

info2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Http Bad Request Route Probe

info2x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

Ftp Tls Upgrade

info1x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

Docker Invalid Protocol Probe

info1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Primitives

Individual actions observed

Smtp Ehlo Greeting7 Elastic Http Get Request7 Elastic Http Bad Request Path Probe6 Http Method Get4 Docker Get Method3 Https Path Root2 Http Path Bad Request2 Ftp Auth Tls1 Docker Bad Request Uri1 Elastic Root Path Probe1

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
20.80.83.86	71%	104
20.246.194.204	29%	3
20.14.75.2	64%	140
20.115.37.33	76%	95
172.208.69.47	100%	314

IP Address	Confidence	Events
130.12.180.57	91%	25,606
172.208.69.47	100%	313
130.12.180.66	91%	25,503
130.12.180.70	91%	25,617
45.205.1.8	88%	1,169