Check an IP Address, Domain Name, Subnet, or ASN

35.205.235.254 was found in our database!

$ whois 35.205.235.254

country·🇧🇪 Belgium

city·Brussels

isp·Google LLC

asn·AS396982

network·Standard

$ sikker risk 35.205.235.254scoring →

confidence

98%Very High

first_seen·Jan 20, 2026

last_seen·29d ago

sessions·259

events·688

$ sikker protocols 35.205.235.254

FTP

72 / 262

MONGODB

43 / 161

SMB

34 / 81

POSTGRES

41 / 60

HTTP

25 / 51

HTTPS

22 / 39

DOCKER

7 / 19

ELASTICSEARCH

15 / 15

$ sikker summary 35.205.235.254

35.205.235.254 has a threat confidence score of 98%. This IP address from Belgium (AS396982, Google LLC) has been observed in 259 honeypot sessions targeting FTP, MONGODB, SMB, POSTGRES, HTTP and 3 other protocols. First observed on January 20, 2026, most recently active February 25, 2026.

$ sikker behaviors 35.205.235.254catalog →

mediumSmb Remote Enumeration Via Samr And Srvsvc6x

Composite behavior identifying authenticated SMB interaction where a client accesses the IPC$ share, performs root directory reads, binds to the SAMR RPC interface, and interacts with the SRVSVC service pipe. This sequence is consistent with remote host and account enumeration activity over SMB, typically used to gather domain, user, and share information prior to lateral movement or privilege escalation attempts.

mediumSmb Srvsvc Data Share Traversal3x

SMB session using srvsvc NetShareEnumAll followed by repeated connection and directory listing of the DATA share.

mediumSmb Authenticated Host And Share Enumeration3x

Composite behavior identifying authenticated SMB activity where a client accesses both IPC$ and data shares, performs root directory reads, and binds to SAMR and SRVSVC RPC interfaces. This sequence is consistent with structured remote enumeration of host configuration, shared resources, and account information, often conducted prior to lateral movement or privilege escalation attempts.

lowFtp Passive Directory Listing2x

FTP session where the client enters passive mode (PASV) and issues a LIST command to retrieve a directory listing from the server.

lowFtp Passive Session Initialization1x

FTP session where the client authenticates, queries the working directory, sets transfer mode, and enters passive mode without performing any file transfer or directory listing.

infoHttps Root Path Request9x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoHttp Root Path Request5x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

$ sikker primitives 35.205.235.254

smb_root_read189 smb_data_share_access57 elastic_http_get_request38 elastic_root_path_probe22 smb_srvsvc_rpc_bind18 https_path_root9 smb_samr_rpc_bind9 smb_ipc_share_access9 smb_srvsvc_pipe_open9 elastic_http_bad_request_path_probe8 mongodb_ismaster_topology_await_admin6 http_method_get5 ftp_print_working_directory4 ftp_set_utf82 ftp_user_probe2 docker_get_method2 ftp_list_directory2 ftp_set_ascii_mode2 ftp_password_attempt2 ftp_enter_passive_mode2

$ sikker related 35.205.235.254

🇧🇪·More threats fromBelgium→AS·More threats fromGoogle LLC→FTP·More threats targetingFTP→MONG·More threats targetingMONGODB→SMB·More threats targetingSMB→POST·More threats targetingPOSTGRES→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→DOCK·More threats targetingDOCKER→ELAS·More threats targetingELASTICSEARCH→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
35.202.9.133	87%	1,641
205.210.31.51	96%	273
205.210.31.44	94%	251
162.216.149.43	69%	134
198.235.24.106	98%	324

IP Address	Confidence	Events
34.76.59.29	99%	67
34.62.131.131	97%	76
34.14.59.22	100%	114
34.53.234.233	70%	10
35.241.166.201	99%	168