Check an IP Address, Domain Name, Subnet, or ASN

66.132.172.202 was found in our database!

$ whois 66.132.172.202

country·🇺🇸 United States

isp·Censys, Inc.

asn·AS398324

network·Standard

$ sikker risk 66.132.172.202scoring →

confidence

83%Very High

first_seen·Mar 20, 2026

last_seen·1h ago

sessions·38

events·38

$ sikker protocols 66.132.172.202

SIP

12 / 12

HTTPS

9 / 9

IMAP

5 / 5

REDIS

4 / 4

SMB

3 / 3

SMTP

3 / 3

MONGODB

1 / 1

ELASTICSEARCH

1 / 1

$ sikker summary 66.132.172.202

66.132.172.202 has a threat confidence score of 83%. This IP address from United States (AS398324, Censys, Inc.) has been observed in 38 honeypot sessions targeting SIP, HTTPS, IMAP, REDIS, SMB and 3 other protocols. First observed on March 20, 2026, most recently active March 21, 2026.

$ sikker behaviors 66.132.172.202catalog →

mediumMongodb Version Fingerprinting Reconnaissance1x

Remote client performs MongoDB service validation and environment fingerprinting by first initiating a wire-protocol handshake (ismaster / hello) followed by execution of the buildInfo command against the admin database. This sequence indicates targeted reconnaissance to determine server role, software version, build characteristics, and platform details. Such activity is commonly associated with automated scanning frameworks and pre-exploitation tooling used to assess exposure and identify version-specific vulnerabilities prior to authentication attempts or database enumeration

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoSmtp Censys Tls Capability Probe1x

SMTP interaction identified as an internet-wide scanning probe originating from Censys infrastructure. The client announces itself via EHLO www.censys.io and issues a STARTTLS request to verify TLS upgrade support and collect service capability metadata. This pattern reflects automated reconnaissance and exposure mapping rather than direct exploitation, but still represents active external probing of the SMTP service.

$ sikker primitives 66.132.172.202

elastic_http_get_request11 sip_call_id_alphanumeric_entropy4 elastic_http_bad_request_path_probe4 elastic_root_path_probe3 https_path_root1 mongodb_ismaster1 smtp_ehlo_greeting1 http2_pri_method_probe1 https_path_bad_request1 http2_pri_asterisk_probe1 elastic_nodes_enumeration1 elastic_cluster_stats_request1 smtp_starttls_upgrade_request1 elastic_http_favicon_path_probe1 mongodb_buildinfo_admin_command1 smtp_ehlo_censys_scanner_identifier1 elastic_http_security_txt_path_probe1

$ sikker related 66.132.172.202

🇺🇸·More threats fromUnited States→AS·More threats fromCensys, Inc.→SIP·More threats targetingSIP→HTTP·More threats targetingHTTPS→IMAP·More threats targetingIMAP→REDI·More threats targetingREDIS→SMB·More threats targetingSMB→SMTP·More threats targetingSMTP→MONG·More threats targetingMONGODB→ELAS·More threats targetingELASTICSEARCH→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
206.168.34.222	50%	1,970
66.132.172.108	85%	43
206.168.34.123	50%	1,575
162.142.125.121	50%	3,263
66.132.172.44	78%	56

IP Address	Confidence	Events
162.142.125.121	50%	3,262
38.54.50.81	97%	2,759
185.218.138.21	97%	4,665
162.216.150.118	67%	93
162.216.150.115	55%	116