Check an IP Address, Domain Name, Subnet, or ASN

46.151.182.159 was found in our database!

$ whois 46.151.182.159

country·🇳🇱 The Netherlands

isp·Ghosty Networks LLC

asn·AS205759

network·Standard

$ sikker risk 46.151.182.159scoring →

confidence

100%Very High

first_seen·Jan 31, 2026

last_seen·9h ago

sessions·2,321

events·4,998

$ sikker protocols 46.151.182.159

MYSQL

2,321 / 4,998

$ sikker summary 46.151.182.159

46.151.182.159 has a threat confidence score of 100%. This IP address from The Netherlands (AS205759, Ghosty Networks LLC) has been observed in 2,321 honeypot sessions targeting MYSQL protocols. Detected attack patterns include mysql ransom extortion workflow, mysql ransomware database staging, mysql transactional server shutdown. First observed on January 31, 2026, most recently active April 21, 2026.

$ sikker behaviors 46.151.182.159catalog →

very_highMysql Ransom Extortion Workflow1x

Performs a coordinated sequence of MySQL actions to create and select a ransom-themed database and table, insert extortion markers, and explicitly manage transactions, clearly signaling database compromise and intent to extort the owner

highMysql Ransomware Database Staging14x

Adversary creates and switches to a newly generated database, creates ransom-related tables, inserts ransom marker content, and commits transactional changes while optionally disabling autocommit. The sequence includes table enumeration and structured write operations indicative of database-level ransomware staging or defacement activity intended to persist extortion instructions or disrupt normal data availability.

highMysql Transactional Server Shutdown2x

A transactional sequence where autocommit is disabled, the MySQL SHUTDOWN command is issued, and the transaction is committed. This pattern represents an authenticated user intentionally terminating the MySQL server process, resulting in immediate database service disruption or denial of service.

mediumMysql Privilege Revocation Transaction1x

A transactional sequence where autocommit is disabled, database privileges (INSERT, DELETE, CREATE, DROP) are revoked from a user on a target database, privilege tables are flushed, and the transaction is committed. This pattern indicates deliberate modification of MySQL access control, potentially used to restrict or alter another account’s capabilities after gaining database access.

lowMysql Transaction Manipulation Probe7x

Disables MySQL autocommit mode without performing any follow-up actions, indicating an initial transaction manipulation probe or a failed/aborted attempt to prepare multi-step database operations. Often seen in low-confidence automation or disrupted attack flows.

$ sikker primitives 46.151.182.159

mysql_disable_autocommit_uppercase465 mysql_insert_ransom_marker236 mysql_use_database208 sql_commit_transaction175 mysql_create_ransom_table118 sql_enumerate_tables81 mysql_drop_database76 sql_enumerate_tables_capital67 mysql_use_ransom_database14 mysql_create_ransom_database14 mysql_disable_autocommit13 mysql_shutdown_server2 mysql_calculate_database_size2 mysql_revoke_insert_delete_create_drop_on_database_from_user2 mysql_flush_privileges1

$ sikker related 46.151.182.159

🇳🇱·More threats fromThe Netherlands→AS·More threats fromGhosty Networks LLC→MYSQ·More threats targetingMYSQL→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
46.151.182.191	93%	4,077
43.228.157.45	100%	5,548
64.89.160.44	77%	73
46.151.182.189	94%	4,268
46.151.182.167	82%	6,343

IP Address	Confidence	Events
45.148.10.183	100%	15,140
185.224.128.16	83%	1,952
130.12.180.174	91%	7,855
185.189.182.234	93%	2,623
45.148.10.192	100%	39,690