Check an IP Address, Domain Name, Subnet, or ASN

64.89.163.154 was found in our database!

$ whois 64.89.163.154

country·🇬🇧 United Kingdom

isp·Netiface America, Inc.

asn·AS401626

network·Standard

$ sikker risk 64.89.163.154scoring →

confidence

100%Very High

first_seen·Jan 24, 2026

last_seen·12m ago

first_reported·Feb 25, 2026

last_reported·21h ago

sessions·4,858

events·11,816

reports·8

$ sikker protocols 64.89.163.154

MYSQL

4,858 / 11,816 / 8r

$ sikker summary 64.89.163.154

64.89.163.154 has a threat confidence score of 100%. This IP address from United Kingdom (AS401626, Netiface America, Inc.) has been observed in 4,858 honeypot sessions and reported 8 times targeting MYSQL protocols. Detected attack patterns include mysql ransom extortion workflow, mysql pre extortion valuation and ransom drop, mysql targeted database destruction and 2 more. First observed on January 24, 2026, most recently active March 20, 2026.

$ sikker behaviors 64.89.163.154catalog →

very_highMysql Ransom Extortion Workflow8x

Performs a coordinated sequence of MySQL actions to create and select a ransom-themed database and table, insert extortion markers, and explicitly manage transactions, clearly signaling database compromise and intent to extort the owner

very_highMysql Pre Extortion Valuation And Ransom Drop7x

Performs a structured MySQL extortion workflow that first disables autocommit and calculates database size via information_schema to assess data value, then enumerates tables, creates a ransom table, inserts explicit extortion messages with payment instructions, and commits the transaction—clearly indicating intentional database extortion following valuation.

very_highMysql Targeted Database Destruction4x

Explicitly disables autocommit, then deliberately drops multiple named databases and commits the transaction, indicating intentional and controlled destructive activity against specific MySQL databases rather than reconnaissance or misconfiguration.

highMysql Ransomware Database Staging18x

Adversary creates and switches to a newly generated database, creates ransom-related tables, inserts ransom marker content, and commits transactional changes while optionally disabling autocommit. The sequence includes table enumeration and structured write operations indicative of database-level ransomware staging or defacement activity intended to persist extortion instructions or disrupt normal data availability.

highMysql Transactional Server Shutdown8x

A transactional sequence where autocommit is disabled, the MySQL SHUTDOWN command is issued, and the transaction is committed. This pattern represents an authenticated user intentionally terminating the MySQL server process, resulting in immediate database service disruption or denial of service.

mediumMysql Privilege Revocation Transaction3x

A transactional sequence where autocommit is disabled, database privileges (INSERT, DELETE, CREATE, DROP) are revoked from a user on a target database, privilege tables are flushed, and the transaction is committed. This pattern indicates deliberate modification of MySQL access control, potentially used to restrict or alter another account’s capabilities after gaining database access.

lowMysql Transaction Manipulation Probe34x

Disables MySQL autocommit mode without performing any follow-up actions, indicating an initial transaction manipulation probe or a failed/aborted attempt to prepare multi-step database operations. Often seen in low-confidence automation or disrupted attack flows.

$ sikker primitives 64.89.163.154

mysql_insert_ransom_marker158 mysql_disable_autocommit_uppercase157 sql_commit_transaction153 mysql_use_database122 mysql_create_ransom_table79 mysql_disable_autocommit77 mysql_drop_database61 sql_enumerate_tables51 sql_enumerate_tables_capital33 mysql_calculate_database_size32 mysql_use_ransom_database18 mysql_create_ransom_database18 mysql_shutdown_server14 mysql_revoke_insert_delete_create_drop_on_database_from_user6 mysql_flush_privileges3

$ sikker reports 64.89.163.154submit →

Showing 5 of 8 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 20, 2026, 02:54	Brute Force	MYSQL	SikkerGuard: 2 blocked packets
User	Mar 11, 2026, 22:11	Brute Force	MYSQL	SikkerGuard: 2 blocked packets
User	Mar 4, 2026, 11:41	Brute Force	MYSQL	SikkerGuard: 2 blocked packets
User	Mar 3, 2026, 11:10	Brute Force	MYSQL	SikkerGuard: 2 blocked packets
User	Mar 2, 2026, 20:10	Brute Force	MYSQL	SikkerGuard: 2 blocked packets

1 / 2

$ sikker related 64.89.163.154

🇬🇧·More threats fromUnited Kingdom→AS·More threats fromNetiface America, Inc.→MYSQ·More threats targetingMYSQL→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
64.89.163.145	100%	15,509
64.89.163.86	100%	8,134
64.89.163.131	100%	43,608
64.89.163.243	100%	5,074
64.89.163.92	100%	5,746

IP Address	Confidence	Events
194.213.3.5	97%	1,953
185.38.149.140	83%	195
185.247.137.117	89%	425
85.11.183.21	89%	806
158.220.86.73	95%	548