Check an IP Address, Domain Name, Subnet, or ASN

35.216.140.3 was found in our database!

$ whois 35.216.140.3

country·🇨🇭 Switzerland

city·Zurich

isp·Google LLC

asn·AS15169

network·Standard

$ sikker risk 35.216.140.3scoring →

confidence

100%Very High

first_seen·Jan 20, 2026

last_seen·12h ago

first_reported·Mar 1, 2026

last_reported·23d ago

sessions·1,424

events·2,606

reports·6

$ sikker protocols 35.216.140.3

FTP

168 / 1,122 / 1r

HTTPS

612 / 612

HTTP

320 / 320

MONGODB

164 / 262

SSH

102 / 155 / 2r

ELASTICSEARCH

32 / 109

RDP

26 / 26

SMB

0 / 0 / 2r

DOCKER

0 / 0 / 1r

$ sikker summary 35.216.140.3

35.216.140.3 has a threat confidence score of 100%. This IP address from Switzerland (AS15169, Google LLC) has been observed in 1,424 honeypot sessions and reported 6 times targeting FTP, HTTPS, HTTP, MONGODB, SSH and 4 other protocols. Detected attack patterns include http dotenv file exposure probe, https dotenv environment file exposure probe, http git repository config exposure probe. First observed on January 20, 2026, most recently active April 12, 2026.

$ sikker behaviors 35.216.140.3catalog →

highHttp Dotenv File Exposure Probe11x

Identifies HTTP GET requests targeting the /.env file, indicating attempts to access exposed environment configuration files commonly containing application secrets such as database credentials, API keys, and service tokens.

highHttps Dotenv Environment File Exposure Probe10x

Identifies an HTTPS request targeting a .env file in the web root or application directory. Access attempts to /.env indicate automated scanning for exposed environment configuration files that may contain application secrets, database credentials, API keys, or cloud tokens. This probe is commonly associated with opportunistic internet-wide scanning for misconfigured web deployments.

highHttp Git Repository Config Exposure Probe4x

Identifies HTTP GET requests targeting /.git/config, indicating attempts to access exposed Git repository configuration files. Successful access may enable repository reconstruction, credential harvesting, or source code disclosure.

mediumRdp Nla Ntlm Authentication Attempt26x

Identifies RDP clients attempting authentication using Network Level Authentication (NLA) with the NTLM challenge-response protocol. This occurs during the CredSSP negotiation phase before a remote desktop session is established and indicates an active credential authentication attempt against the RDP service

mediumHttps Dotgit Repository Configuration Exposure Probe13x

Identifies an HTTPS request targeting the .git/config file within a web-accessible repository directory. Access attempts to /.git/config indicate automated repository exposure scanning intended to retrieve remote origin URLs, repository structure, and potentially credential-bearing configuration data. This is a common reconnaissance technique used to identify misconfigured web servers exposing version control metadata.

lowFtp Control Channel Protocol Anomaly12x

FTP session where an empty control-channel command is observed in conjunction with non-printable binary data on the control channel. This pattern reflects malformed or non-FTP-compliant input, commonly seen during TLS handshake attempts on plaintext endpoints, protocol confusion, or automated scanner misfires.

infoHttp Http Method Get62x

HTTP request using GET method.

infoHttp Root Path Request62x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttp Bad Request Route Probe18x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

infoHttps Root Path Request6x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 35.216.140.3

ftp_enter_extended_passive_mode426 ftp_machine_list_directory419 http_method_get204 elastic_http_get_request192 empty_ftp_command66 elastic_root_path_probe64 elastic_http_bad_request_path_probe64 elastic_nodes_enumeration32 elastic_cat_indices_enumeration32 ftp_control_channel_binary_payload30 ftp_set_utf827 ftp_user_probe27 ftp_help_request27 ftp_set_binary_mode27 ftp_feature_list_request27 rdp_nla_ntlm_auth26 http_path_bad_request23 http_path_config_json23 http_path_dotenv21 http_path_dotgit_config19

$ sikker reports 35.216.140.3submit →

Showing 5 of 6 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 20, 2026, 14:51	Brute Force	SMB	SikkerGuard: 2 blocked packets
User	Mar 12, 2026, 07:47	Brute Force	DOCKER	SikkerGuard: 2 blocked packets
User	Mar 10, 2026, 14:34	Brute Force	SSH	SikkerGuard: 2 blocked packets
User	Mar 6, 2026, 02:41	Brute Force	FTP	SikkerGuard: 2 blocked packets
User	Mar 5, 2026, 10:11	Brute Force	SMB	SikkerGuard: 2 blocked packets

1 / 2

$ sikker related 35.216.140.3

🇨🇭·More threats fromSwitzerland→AS·More threats fromGoogle LLC→FTP·More threats targetingFTP→HTTP·More threats targetingHTTPS→HTTP·More threats targetingHTTP→MONG·More threats targetingMONGODB→SSH·More threats targetingSSH→ELAS·More threats targetingELASTICSEARCH→RDP·More threats targetingRDP→SMB·More threats targetingSMB→DOCK·More threats targetingDOCKER→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
35.216.201.9	100%	2,671
35.209.82.23	68%	23
35.216.183.140	100%	1,658
35.216.156.249	100%	1,060
66.249.73.168	9%	2

IP Address	Confidence	Events
179.43.186.223	82%	1,414
179.43.139.58	83%	8,563
35.216.201.9	100%	2,672
138.124.7.7	90%	15
37.120.213.13	100%	993