Check an IP Address, Domain Name, Subnet, or ASN

35.195.56.172 was found in our database!

$ whois 35.195.56.172

country·🇧🇪 Belgium

city·Brussels

isp·Google LLC

asn·AS396982

network·Standard

$ sikker risk 35.195.56.172scoring →

confidence

92%Very High

first_seen·Apr 15, 2026

last_seen·1h ago

sessions·45

events·45

$ sikker protocols 35.195.56.172

FTP

12 / 12

ELASTICSEARCH

8 / 8

SMB

7 / 7

POSTGRES

7 / 7

MONGODB

6 / 6

HTTP

3 / 3

HTTPS

1 / 1

DOCKER

1 / 1

$ sikker summary 35.195.56.172

35.195.56.172 has a threat confidence score of 92%. This IP address from Belgium (AS396982, Google LLC) has been observed in 45 honeypot sessions targeting FTP, ELASTICSEARCH, SMB, POSTGRES, MONGODB and 3 other protocols. First observed on April 15, 2026, most recently active April 20, 2026.

$ sikker behaviors 35.195.56.172catalog →

mediumMongodb Containerized Pymongo Environment Enumeration2x

Identifies a structured MongoDB reconnaissance sequence performed by a modern PyMongo client operating from a Kubernetes-orchestrated Linux container. The actor negotiates server capabilities using a hello / ismaster handshake, enumerates server build metadata via buildinfo, performs lightweight database name discovery using listDatabases with nameOnly, and explicitly terminates logical sessions using endSessions. This pattern reflects automated tooling or scripted workflows conducting deployment fingerprinting, access surface mapping, and compatibility validation prior to further database interaction.

lowFtp Passive Session Initialization6x

FTP session where the client authenticates, queries the working directory, sets transfer mode, and enters passive mode without performing any file transfer or directory listing.

infoHttp Http Method Get3x

HTTP request using GET method.

infoHttp Root Path Request3x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 35.195.56.172

elastic_http_get_request24 elastic_root_path_probe12 ftp_print_working_directory12 mongodb_ismaster_topology_await_admin12 ftp_set_utf86 smb_root_read6 ftp_user_probe6 ftp_set_ascii_mode6 smb_srvsvc_rpc_bind6 ftp_password_attempt6 ftp_enter_passive_mode6 smb_rpc_srvsvc_interface_access6 elastic_http_bad_request_path_probe6 mongodb_ismaster_hellook_client_env_kubernetes_pymongo4 http_method_get3 smb_samr_rpc_bind3 smb_ipc_share_access3 smb_srvsvc_pipe_open3 mongodb_endSessions_admin_command2 mongodb_buildinfo_admin_lsid_command2

$ sikker related 35.195.56.172

🇧🇪·More threats fromBelgium→AS·More threats fromGoogle LLC→FTP·More threats targetingFTP→ELAS·More threats targetingELASTICSEARCH→SMB·More threats targetingSMB→POST·More threats targetingPOSTGRES→MONG·More threats targetingMONGODB→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→DOCK·More threats targetingDOCKER→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
34.155.82.99	91%	11,899
34.53.158.15	100%	264
34.77.166.77	100%	402
34.14.59.22	100%	447
34.14.23.97	100%	411

IP Address	Confidence	Events
34.53.158.15	100%	264
34.77.166.77	100%	402
34.14.59.22	100%	447
34.14.23.97	100%	411
35.187.62.96	44%	4