Check an IP Address, Domain Name, Subnet, or ASN

40.124.175.75 was found in our database!

Confidence Level

86%

Very High?

Geolocation

🇺🇸

United StatesSan Antonio

ISPMicrosoft Corporation

ASNAS8075

Activity Timeline

First seenJan 20, 2026, 09:33 PM

Last seen21m ago

First reportedMar 3, 2026, 03:40 AM

Last reported6d ago

120Sessions

172Events

1Reports

Protocol Breakdown

HTTPS

43 / 51

HTTP

12 / 24

SIP

6 / 16

IMAP

8 / 12

SSH

8 / 11

SMTP

11 / 11

SMB

8 / 8

DOCKER

5 / 7

MONGODB

3 / 7

POP3

2 / 5

MSSQL

5 / 5

REDIS

2 / 5

TELNET

2 / 4

POSTGRES

3 / 4

ELASTICSEARCH

2 / 2

40.124.175.75 has a very high threat confidence level of 86%, originating from San Antonio, United States, on the Microsoft Corporation network (8075). It has been observed across 120 sessions targeting HTTPS, HTTP, SIP, IMAP, SSH and 10 other protocols, First observed on January 20, 2026, most recently active March 10, 2026.

Behaviors

Classified behavioral patterns observed

Redis Mglndd Campaign Activity

low1x

Redis session where the client presents the MGLNDD-prefixed identifier (for example MGLNDD_[ip]_6379) within the connection metadata, indicating activity from a specific automated Redis scanning framework. The behavior is triggered by the previously defined primitive detecting this exact tag pattern and groups sessions attributed to that tooling. The behavior reflects identifiable automated access rather than standard Redis client usage and does not assume additional commands beyond the observable identifier.

Https Root Path Request

info5x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

Http Root Path Request

info3x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

Http Bad Request Route Probe

info1x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

Docker Invalid Protocol Probe

info1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Primitives

Individual actions observed

Https Path Root5 Docker Get Method5 Http Method Get4 Mongodb Buildinfo3 Smtp Ehlo Greeting3 Elastic Http Get Request3 Http Path Bad Request1 Docker Bad Request Uri1 Elastic Root Path Probe1 Redis Mglndd Client Identifier Tag1 Elastic Http Bad Request Path Probe1

User Reports

1 report from 1 contributor

Date	Category	Protocol	Comment
Mar 3, 2026	Brute Force	SMTP	SikkerGuard: 2 blocked packets

Related Threats

Explore related threat intelligence

🇺🇸More threats fromUnited States ASMore threats fromMicrosoft Corporation HTTPSMore threats targetingHTTPS HTTPMore threats targetingHTTP SIPMore threats targetingSIP IMAPMore threats targetingIMAP SSHMore threats targetingSSH SMTPMore threats targetingSMTP SMBMore threats targetingSMB DOCKERMore threats targetingDOCKER MONGODBMore threats targetingMONGODB POP3More threats targetingPOP3 MSSQLMore threats targetingMSSQL REDISMore threats targetingREDIS TELNETMore threats targetingTELNET POSTGRESMore threats targetingPOSTGRES ELASTICSEARCHMore threats targetingELASTICSEARCH { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
20.65.194.43	71%	169
52.224.242.102	73%	130
52.165.80.115	86%	162
172.202.118.47	59%	157
135.119.89.93	63%	88

IP Address	Confidence	Events
130.12.180.19	91%	10,853
130.12.180.77	91%	10,155
130.12.180.71	91%	10,854
130.12.180.37	88%	11,222
130.12.180.51	100%	19,657