Check an IP Address, Domain Name, Subnet, or ASN

66.132.172.199 was found in our database!

$ whois 66.132.172.199

country·🇺🇸 United States

isp·Censys, Inc.

asn·AS398324

network·Standard

$ sikker risk 66.132.172.199scoring →

confidence

96%Very High

first_seen·Mar 19, 2026

last_seen·1h ago

first_reported·Mar 20, 2026

last_reported·11h ago

sessions·39

events·39

reports·1

$ sikker protocols 66.132.172.199

POSTGRES

11 / 11

SMTP

7 / 7

MONGODB

6 / 6

SSH

4 / 4

HTTPS

3 / 3

DOCKER

2 / 2 / 1r

SIP

2 / 2

ELASTICSEARCH

2 / 2

RTSP

1 / 1

TELNET

1 / 1

$ sikker summary 66.132.172.199

66.132.172.199 has a threat confidence score of 96%. This IP address from United States (AS398324, Censys, Inc.) has been observed in 39 honeypot sessions and reported 1 times targeting POSTGRES, SMTP, MONGODB, SSH, HTTPS and 5 other protocols. First observed on March 19, 2026, most recently active March 21, 2026.

$ sikker behaviors 66.132.172.199catalog →

mediumMongodb Version Fingerprinting Reconnaissance6x

Remote client performs MongoDB service validation and environment fingerprinting by first initiating a wire-protocol handshake (ismaster / hello) followed by execution of the buildInfo command against the admin database. This sequence indicates targeted reconnaissance to determine server role, software version, build characteristics, and platform details. Such activity is commonly associated with automated scanning frameworks and pre-exploitation tooling used to assess exposure and identify version-specific vulnerabilities prior to authentication attempts or database enumeration

lowRtsp Options Probe1x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

infoSmtp Censys Tls Capability Probe7x

SMTP interaction identified as an internet-wide scanning probe originating from Censys infrastructure. The client announces itself via EHLO www.censys.io and issues a STARTTLS request to verify TLS upgrade support and collect service capability metadata. This pattern reflects automated reconnaissance and exposure mapping rather than direct exploitation, but still represents active external probing of the SMTP service.

$ sikker primitives 66.132.172.199

docker_get_method12 smtp_ehlo_greeting7 docker_bad_request_uri7 smtp_starttls_upgrade_request7 smtp_ehlo_censys_scanner_identifier7 mongodb_ismaster6 mongodb_buildinfo_admin_command6 elastic_http_get_request4 elastic_root_path_probe2 sip_call_id_alphanumeric_entropy2 rtsp_options1 elastic_nodes_enumeration1 elastic_cluster_stats_request1

$ sikker reports 66.132.172.199submit →

Showing 1 of 1 report from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 20, 2026, 22:06	Brute Force	DOCKER	SikkerGuard: 18 blocked packets

$ sikker related 66.132.172.199

🇺🇸·More threats fromUnited States→AS·More threats fromCensys, Inc.→POST·More threats targetingPOSTGRES→SMTP·More threats targetingSMTP→MONG·More threats targetingMONGODB→SSH·More threats targetingSSH→HTTP·More threats targetingHTTPS→DOCK·More threats targetingDOCKER→SIP·More threats targetingSIP→ELAS·More threats targetingELASTICSEARCH→RTSP·More threats targetingRTSP→TELN·More threats targetingTELNET→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
206.168.34.193	50%	1,717
66.132.172.205	66%	31
206.168.34.209	50%	1,964
66.132.172.141	78%	36
167.94.138.45	49%	1,588

IP Address	Confidence	Events
92.118.39.62	100%	371,902
172.202.118.20	84%	160
20.80.105.17	81%	141
45.33.88.85	27%	7
64.227.22.237	90%	27