3.149.59.26 — Amazon.com, Inc., US — Very High (100%)

Check an IP Address, Domain Name, Subnet, or ASN

3.149.59.26 was found in our database!

Confidence Level

100%

Very High?

Geolocation

🇺🇸

United StatesColumbus

ISPAmazon.com, Inc.

ASNAS16509

Activity Timeline

First seenJan 20, 2026, 01:54 PM

Last seen26d ago

5,716Sessions

14,608Events

Protocol Breakdown

SMTP

1050 / 3653

RTSP

373 / 1538

HTTPS

722 / 1476

REDIS

304 / 1391

HTTP

442 / 1084

MONGODB

439 / 1062

SIP

404 / 1025

POSTGRES

678 / 894

IMAP

270 / 800

TELNET

242 / 488

SSH

227 / 434

MSSQL

241 / 241

SMB

209 / 236

TR069

54 / 153

FTP

32 / 64

POP3

28 / 60

DOCKER

1 / 9

3.149.59.26 has a very high threat confidence level of 100%, originating from Columbus, United States, on the Amazon.com, Inc. network (16509). It has been observed across 5,716 sessions targeting SMTP, RTSP, HTTPS, REDIS, HTTP and 12 other protocols, First observed on January 20, 2026, most recently active February 4, 2026.

Behaviors

Classified behavioral patterns observed

Mongodb Database Enumeration

medium62x

Client performs initial MongoDB discovery using isMaster followed by listDatabases and buildinfo, indicating active enumeration of server structure and version details. This pattern goes beyond basic probing and reflects an attempt to map available databases on an exposed instance.

Redis Service Fingerprint Enumeration

low11x

Identifies Redis service discovery and basic environment enumeration where an actor probes with invalid commands, validates availability using PING, retrieves server metadata via INFO (case variations), and gracefully exits with QUIT. This pattern is commonly used to fingerprint exposed Redis instances before exploitation.

Redis Automated Service Fingerprinting Sequence

low11x

Identifies an automated Redis service probing sequence consisting of PING, INFO (uppercase invocation), execution of a deliberately nonexistent command to assess error handling behavior, and QUIT. This tightly grouped pattern reflects reconnaissance and fingerprinting activity used by scanners and exploitation frameworks to determine Redis version, configuration details, and command availability prior to follow-on exploitation attempts. The inclusion of a nonexistent command indicates capability probing rather than normal client interaction.

Https Root Path Request

info27x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Http Bad Request Route Probe

info11x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

Docker Invalid Protocol Probe

info1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Primitives

Individual actions observed

Mongodb Ismaster310 Mongodb Buildinfo310 Mongodb Listdatabases310 Docker Get Method36 Https Path Root27 Docker Bad Request Uri18 Redis Ping11 Redis Quit11 Http Method Get11 Redis Info Uppercase11 Http Path Bad Request11 Redis Nonexistent Command11

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
35.89.107.44	41%	2
3.77.24.41	61%	778
43.209.249.157	56%	6
3.77.221.157	67%	1,008
54.183.206.92	47%	3

IP Address	Confidence	Events
162.243.212.243	99%	1,215
162.142.125.115	30%	2,428
20.168.121.252	67%	99
99.60.18.106	53%	356
66.132.153.132	99%	1,710