Check an IP Address, Domain Name, Subnet, or ASN

40.124.175.197 was found in our database!

$ whois 40.124.175.197

country·🇺🇸 United States

city·San Antonio

isp·Microsoft Corporation

asn·AS8075

network·Standard

$ sikker risk 40.124.175.197scoring →

confidence

75%High

first_seen·Jan 22, 2026

last_seen·1h ago

sessions·82

events·117

$ sikker protocols 40.124.175.197

HTTPS

18 / 31

HTTP

11 / 13

IMAP

8 / 12

ELASTICSEARCH

10 / 12

FTP

6 / 10

MONGODB

4 / 8

SMTP

7 / 7

REDIS

4 / 7

DOCKER

4 / 6

SSH

4 / 5

SMB

2 / 2

TELNET

2 / 2

MSSQL

1 / 1

POSTGRES

1 / 1

$ sikker summary 40.124.175.197

40.124.175.197 has a threat confidence score of 75%. This IP address from United States (AS8075, Microsoft Corporation) has been observed in 82 honeypot sessions targeting HTTPS, HTTP, IMAP, ELASTICSEARCH, FTP and 9 other protocols. First observed on January 22, 2026, most recently active March 27, 2026.

$ sikker behaviors 40.124.175.197catalog →

lowRedis Mglndd Campaign Activity1x

Redis session where the client presents the MGLNDD-prefixed identifier (for example MGLNDD_[ip]_6379) within the connection metadata, indicating activity from a specific automated Redis scanning framework. The behavior is triggered by the previously defined primitive detecting this exact tag pattern and groups sessions attributed to that tooling. The behavior reflects identifiable automated access rather than standard Redis client usage and does not assume additional commands beyond the observable identifier.

infoHttp Root Path Request9x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoFtp Tls Upgrade1x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoDocker Invalid Protocol Probe1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

$ sikker primitives 40.124.175.197

elastic_http_get_request13 http_method_get9 elastic_http_bad_request_path_probe9 docker_get_method3 mongodb_buildinfo3 ftp_auth_tls2 smtp_ehlo_greeting2 redis_mglndd_client_identifier_tag2 ftp_auth_ssl1 https_path_root1 docker_bad_request_uri1 elastic_root_path_probe1

$ sikker related 40.124.175.197

Report IP WHOIS Lookup →

IP Address	Confidence	Events
40.124.185.240	88%	177
74.241.251.207	95%	1,043
172.190.220.228	100%	74
20.127.195.254	57%	129
172.190.216.105	100%	136

IP Address	Confidence	Events
66.175.212.125	70%	15
72.207.33.65	40%	328
45.56.103.66	67%	5
208.3.195.65	100%	106,372
193.19.109.134	80%	1,035