Check an IP Address, Domain Name, Subnet, or ASN

201.71.144.239 was found in our database!

$ whois 201.71.144.239

country·🇧🇷 Brazil

city·Cuiabá

isp·AVATO TECNOLOGIA S.A

asn·AS28635

network·Standard

$ sikker risk 201.71.144.239scoring →

confidence

99%Very High

first_seen·Jan 26, 2026

last_seen·28d ago

sessions·38

events·136

$ sikker protocols 201.71.144.239

TELNET

38 / 136

$ sikker summary 201.71.144.239

201.71.144.239 has a threat confidence score of 99%. This IP address from Brazil (AS28635, AVATO TECNOLOGIA S.A) has been observed in 38 honeypot sessions targeting TELNET protocols. Detected attack patterns include telnet busybox shell activation with capability check, telnet shell breakout with busybox payload execution, telnet busybox multi method payload retrieval and execution. First observed on January 26, 2026, most recently active February 20, 2026.

$ sikker behaviors 201.71.144.239catalog →

highTelnet Busybox Shell Activation With Capability Check25x

Identifies a Telnet session where BusyBox is leveraged to activate or access a shell environment (sh, shell, system, linuxshell, enable) followed by command capability validation (ping). This pattern reflects deliberate shell breakout and execution-context validation commonly observed in IoT botnets and embedded Linux compromise workflows. The presence of multiple shell invocation variants combined with BusyBox applet usage indicates adaptive execution logic rather than incidental command usage.

highTelnet Shell Breakout With Busybox Payload Execution2x

Telnet session exhibiting privilege escalation and shell breakout attempts (enable, system, linuxshell, shell, sh) followed by execution of /bin/busybox with a non-standard or arbitrary applet name. The combination indicates an automated attempt to escape restricted CLI environments and execute a staged or randomly named payload via BusyBox. This pattern is characteristic of IoT/Linux bot deployment frameworks leveraging BusyBox as a universal execution wrapper.

highTelnet Busybox Multi Method Payload Retrieval And Execution1x

Identifies a Telnet session where an attacker leverages BusyBox utilities to retrieve a remote payload using one or more file transfer mechanisms (e.g., wget, curl, ftpget, or tftp) followed by execution of the downloaded script via sh. This pattern is consistent with IoT botnet propagation and automated malware deployment.

$ sikker primitives 201.71.144.239

telnet_command_sh68 telnet_command_enable33 telnet_command_linuxshell33 telnet_command_system32 telnet_busybox_unknown_applet_invocation32 telnet_command_ping31 telnet_command_shell31 busybox_applet_enumeration24 busybox_binary_presence_check19 shell_fallback_probe5 system_shell_entry1 shell_interpreter_probe1 linux_shell_entry_attempt1 network_connectivity_probe1 telnet_busybox_wget_execution1 privileged_mode_enable_attempt1 telnet_sh_execute_downloaded_script1 telnet_busybox_ftpget_remote_file_download1 telnet_busybox_tftp_get_remote_file_stdout1 telnet_curl_remote_script_stdout_execution1

$ sikker related 201.71.144.239

🇧🇷·More threats fromBrazil→AS·More threats fromAVATO TECNOLOGIA S.A→TELN·More threats targetingTELNET→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
201.71.173.44	99%	59
201.71.157.40	38%	207
201.71.175.163	97%	233
201.71.152.109	85%	7
201.71.145.229	48%	20

IP Address	Confidence	Events
201.17.133.91	43%	29
177.126.90.4	39%	238
138.186.44.196	24%	49
38.211.30.70	31%	108
177.190.67.44	76%	133