Check an IP Address, Domain Name, Subnet, or ASN

66.132.172.104 was found in our database!

$ whois 66.132.172.104

country·🇺🇸 United States

isp·Censys, Inc.

asn·AS398324

network·Standard

$ sikker risk 66.132.172.104scoring →

confidence

90%Very High

first_seen·Mar 20, 2026

last_seen·1h ago

first_reported·Mar 22, 2026

last_reported·1d ago

sessions·35

events·35

reports·1

$ sikker protocols 66.132.172.104

HTTP

10 / 10

HTTPS

9 / 9

IMAP

5 / 5

SMTP

2 / 2 / 1r

SIP

2 / 2

DOCKER

2 / 2

ELASTICSEARCH

2 / 2

SSH

1 / 1

RTSP

1 / 1

REDIS

1 / 1

$ sikker summary 66.132.172.104

66.132.172.104 has a threat confidence score of 90%. This IP address from United States (AS398324, Censys, Inc.) has been observed in 35 honeypot sessions and reported 1 times targeting HTTP, HTTPS, IMAP, SMTP, SIP and 5 other protocols. First observed on March 20, 2026, most recently active March 23, 2026.

$ sikker behaviors 66.132.172.104catalog →

lowRedis Automated Service Fingerprinting Sequence1x

Identifies an automated Redis service probing sequence consisting of PING, INFO (uppercase invocation), execution of a deliberately nonexistent command to assess error handling behavior, and QUIT. This tightly grouped pattern reflects reconnaissance and fingerprinting activity used by scanners and exploitation frameworks to determine Redis version, configuration details, and command availability prior to follow-on exploitation attempts. The inclusion of a nonexistent command indicates capability probing rather than normal client interaction.

infoHttp Root Path Request4x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoSmtp Censys Tls Capability Probe1x

SMTP interaction identified as an internet-wide scanning probe originating from Censys infrastructure. The client announces itself via EHLO www.censys.io and issues a STARTTLS request to verify TLS upgrade support and collect service capability metadata. This pattern reflects automated reconnaissance and exposure mapping rather than direct exploitation, but still represents active external probing of the SMTP service.

$ sikker primitives 66.132.172.104

elastic_http_get_request22 docker_get_method12 elastic_http_bad_request_path_probe8 docker_bad_request_uri7 elastic_root_path_probe6 http_method_get4 http2_pri_method_probe2 http2_pri_asterisk_probe2 elastic_nodes_enumeration2 elastic_cluster_stats_request2 elastic_http_favicon_path_probe2 sip_call_id_alphanumeric_entropy2 redis_ping1 redis_quit1 rtsp_options1 https_path_root1 smtp_ehlo_greeting1 redis_info_uppercase1 redis_nonexistent_command1 smtp_starttls_upgrade_request1

$ sikker reports 66.132.172.104submit →

Showing 1 of 1 report from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 22, 2026, 01:08	Brute Force	SMTP	SikkerGuard: 10 blocked packets

$ sikker related 66.132.172.104

🇺🇸·More threats fromUnited States→AS·More threats fromCensys, Inc.→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→IMAP·More threats targetingIMAP→SMTP·More threats targetingSMTP→SIP·More threats targetingSIP→DOCK·More threats targetingDOCKER→ELAS·More threats targetingELASTICSEARCH→SSH·More threats targetingSSH→RTSP·More threats targetingRTSP→REDI·More threats targetingREDIS→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
206.168.34.115	50%	1,532
66.132.172.131	88%	81
66.132.186.220	26%	1
162.142.125.37	50%	1,765
162.142.125.198	50%	2,223

IP Address	Confidence	Events
165.245.175.173	98%	3,428
193.37.33.184	83%	4,345
185.238.231.181	85%	4,154
64.62.156.94	99%	1,546
92.118.39.87	100%	253,383