Check an IP Address, Domain Name, Subnet, or ASN

66.132.172.35 was found in our database!

$ whois 66.132.172.35

country·🇺🇸 United States

isp·Censys, Inc.

asn·AS398324

network·Standard

$ sikker risk 66.132.172.35scoring →

confidence

82%Very High

first_seen·Mar 20, 2026

last_seen·1h ago

sessions·36

events·36

$ sikker protocols 66.132.172.35

SMTP

15 / 15

HTTP

10 / 10

SSH

5 / 5

HTTPS

3 / 3

DOCKER

2 / 2

MONGODB

1 / 1

$ sikker summary 66.132.172.35

66.132.172.35 has a threat confidence score of 82%. This IP address from United States (AS398324, Censys, Inc.) has been observed in 36 honeypot sessions targeting SMTP, HTTP, SSH, HTTPS, DOCKER and 1 other protocols. First observed on March 20, 2026, most recently active March 23, 2026.

$ sikker behaviors 66.132.172.35catalog →

mediumMongodb Version Fingerprinting Reconnaissance1x

Remote client performs MongoDB service validation and environment fingerprinting by first initiating a wire-protocol handshake (ismaster / hello) followed by execution of the buildInfo command against the admin database. This sequence indicates targeted reconnaissance to determine server role, software version, build characteristics, and platform details. Such activity is commonly associated with automated scanning frameworks and pre-exploitation tooling used to assess exposure and identify version-specific vulnerabilities prior to authentication attempts or database enumeration

infoHttp Root Path Request4x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttp Bad Request Route Probe1x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

infoSmtp Censys Tls Capability Probe1x

SMTP interaction identified as an internet-wide scanning probe originating from Censys infrastructure. The client announces itself via EHLO www.censys.io and issues a STARTTLS request to verify TLS upgrade support and collect service capability metadata. This pattern reflects automated reconnaissance and exposure mapping rather than direct exploitation, but still represents active external probing of the SMTP service.

$ sikker primitives 66.132.172.35

docker_get_method12 docker_bad_request_uri7 http_method_get6 mongodb_ismaster1 smtp_ehlo_greeting1 http_path_bad_request1 smtp_starttls_upgrade_request1 mongodb_buildinfo_admin_command1 smtp_ehlo_censys_scanner_identifier1

$ sikker related 66.132.172.35

🇺🇸·More threats fromUnited States→AS·More threats fromCensys, Inc.→SMTP·More threats targetingSMTP→HTTP·More threats targetingHTTP→SSH·More threats targetingSSH→HTTP·More threats targetingHTTPS→DOCK·More threats targetingDOCKER→MONG·More threats targetingMONGODB→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
66.132.172.33	91%	80
66.132.172.208	67%	21
66.132.172.130	90%	92
66.132.186.178	50%	6
167.94.138.34	50%	1,468

IP Address	Confidence	Events
20.65.194.166	71%	171
20.168.107.40	69%	132
92.118.39.63	100%	53,072
3.151.241.153	100%	4,985
185.238.231.153	76%	190