Check an IP Address, Domain Name, Subnet, or ASN

35.203.211.153 was found in our database!

$ whois 35.203.211.153

country·🇬🇧 United Kingdom

city·City of London

isp·Google LLC

asn·AS396982

network·Standard

$ sikker risk 35.203.211.153scoring →

confidence

77%High

first_seen·Jan 21, 2026

last_seen·2d ago

sessions·168

events·254

$ sikker protocols 35.203.211.153

SMTP

41 / 80

MONGODB

21 / 43

RDP

31 / 36

SIP

29 / 29

MSSQL

16 / 16

FTP

4 / 15

REDIS

8 / 12

TELNET

5 / 9

HTTP

4 / 5

SMB

4 / 4

SSH

3 / 3

HTTPS

2 / 2

$ sikker summary 35.203.211.153

35.203.211.153 has a threat confidence score of 77%. This IP address from United Kingdom (AS396982, Google LLC) has been observed in 168 honeypot sessions targeting SMTP, MONGODB, RDP, SIP, MSSQL and 7 other protocols. First observed on January 21, 2026, most recently active April 17, 2026.

$ sikker behaviors 35.203.211.153catalog →

mediumRdp Legacy Plaintext Authentication Attempt1x

Identifies RDP clients attempting authentication using the legacy RDP security mode where credentials are exchanged through the older RDP security layer instead of Network Level Authentication (NLA). This indicates the client negotiated legacy plaintext authentication during the RDP security handshake

infoHttp Root Path Request3x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoRedis Info Command Invocation2x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 35.203.211.153

sip_call_id_alphanumeric_entropy20 smtp_ehlo_greeting16 http_method_get3 redis_command_ff2 redis_info_uppercase2 redis_command_32c03840666aa2a3352 mongodb_serverstatus_float_command2 redis_command_cc676b33393c3d2f35c02 https_path_root1 ftp_control_channel_binary_payload1 rdp_legacy_plaintext_authenthication1

$ sikker related 35.203.211.153

Report IP WHOIS Lookup →

IP Address	Confidence	Events
35.199.91.184	95%	2,260
198.235.24.15	99%	430
205.210.31.146	98%	334
198.235.24.16	98%	313
147.185.132.117	99%	397

IP Address	Confidence	Events
78.153.140.251	100%	1,373
78.153.140.93	100%	4,569
193.104.222.24	96%	119
85.11.183.23	90%	1,409
51.89.235.201	88%	78,272