Check an IP Address, Domain Name, Subnet, or ASN

38.12.6.117 was found in our database!

$ whois 38.12.6.117

country·🇺🇸 United States

city·San Jose

isp·AROSSCLOUD INC.

asn·AS400619

network·Standard

$ sikker risk 38.12.6.117scoring →

confidence

87%Very High

first_seen·Mar 13, 2026

last_seen·7d ago

first_reported·Mar 15, 2026

last_reported·6d ago

sessions·5

events·5

reports·1

$ sikker protocols 38.12.6.117

TELNET

2 / 2

SSH

1 / 1 / 1r

HTTP

1 / 1

DOCKER

1 / 1

$ sikker summary 38.12.6.117

38.12.6.117 has a threat confidence score of 87%. This IP address from United States (AS400619, AROSSCLOUD INC.) has been observed in 5 honeypot sessions and reported 1 times targeting TELNET, SSH, HTTP, DOCKER protocols. Detected attack patterns include http mass web rce exploitation scanning. First observed on March 13, 2026, most recently active March 15, 2026.

$ sikker behaviors 38.12.6.117catalog →

highHttp Mass Web Rce Exploitation Scanning1x

Coordinated automated exploitation attempts targeting public-facing web services, including PHPUnit eval-stdin access, PHP-CGI argument injection, Docker API exposure, directory traversal, ThinkPHP invokeFunction abuse, and command execution patterns (wget/curl pipe to shell). Identifies opportunistic bot-driven RCE scanning and framework-specific exploit chaining against internet-exposed applications.

$ sikker primitives 38.12.6.117

http_method_get42 http_php_echo_md5_hello_phpunit_marker37 telnet_echo_hex_escape_sequence_output4 docker_post_method3 telnet_command_sh2 telnet_command_shell2 telnet_command_enable2 telnet_command_system2 docker_container_exec_path2 http_body_wget_curl_pipe_to_sh_selfrep2 http_thinkphp_invokefunction_call_user_func_array_md52 telnet_wget_sh_no_check_certificate_quiet_stdout_exec2 http_php_cgi_allow_url_include_auto_prepend_input_injection2 docker_get_method1 docker_exec_start_endpoint1 docker_list_containers_endpoint1 http_cgi_bin_direct_bin_sh_access1 http_phpunit_eval_stdin_php_path_access1 http_phpunit_license_eval_stdin_path_probe1 http_docker_api_containers_json_path_access1

$ sikker reports 38.12.6.117submit →

Showing 1 of 1 report from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 15, 2026, 01:14	Brute Force	SSH	SikkerGuard: 2 blocked packets

$ sikker related 38.12.6.117

🇺🇸·More threats fromUnited States→AS·More threats fromAROSSCLOUD INC.→TELN·More threats targetingTELNET→SSH·More threats targetingSSH→HTTP·More threats targetingHTTP→DOCK·More threats targetingDOCKER→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
38.165.42.102	94%	15
38.55.146.197	35%	10
38.55.146.194	30%	2
154.193.217.134	30%	2
38.55.146.198	28%	24

IP Address	Confidence	Events
157.230.224.183	99%	434
162.142.125.44	50%	1,729
92.118.39.72	100%	116,780
66.132.172.134	81%	29
144.172.105.60	98%	38,911