Check an IP Address, Domain Name, Subnet, or ASN

66.132.186.177 was found in our database!

$ whois 66.132.186.177

country·🇺🇸 United States

network·Standard

$ sikker risk 66.132.186.177scoring →

confidence

100%Very High

first_seen·Mar 22, 2026

last_seen·4d ago

first_reported·May 4, 2026

last_reported·5d ago

sessions·587

events·587

reports·2

$ sikker protocols 66.132.186.177

HTTP

168 / 168

HTTPS

76 / 76

SMTP

63 / 63

POSTGRES

61 / 61

IMAP

55 / 55

SIP

53 / 53

RDP

28 / 28

FTP

17 / 17

SSH

16 / 16

ELASTICSEARCH

13 / 13

SMB

8 / 8

DOCKER

8 / 8

TELNET

8 / 8

REDIS

6 / 6

MONGODB

4 / 4

MSSQL

3 / 3

$ sikker summary 66.132.186.177

66.132.186.177 has a threat confidence score of 100%. This IP address from United States has been observed in 587 honeypot sessions and reported 2 times targeting HTTP, HTTPS, SMTP, POSTGRES, IMAP and 11 other protocols. First observed on March 22, 2026, most recently active May 6, 2026.

$ sikker behaviors 66.132.186.177catalog →

mediumMongodb Version Fingerprinting Reconnaissance4x

Remote client performs MongoDB service validation and environment fingerprinting by first initiating a wire-protocol handshake (ismaster / hello) followed by execution of the buildInfo command against the admin database. This sequence indicates targeted reconnaissance to determine server role, software version, build characteristics, and platform details. Such activity is commonly associated with automated scanning frameworks and pre-exploitation tooling used to assess exposure and identify version-specific vulnerabilities prior to authentication attempts or database enumeration

mediumRdp Legacy Plaintext Authentication Attempt3x

Identifies RDP clients attempting authentication using the legacy RDP security mode where credentials are exchanged through the older RDP security layer instead of Network Level Authentication (NLA). This indicates the client negotiated legacy plaintext authentication during the RDP security handshake

infoHttp Http Method Get45x

HTTP request using GET method.

infoHttp Root Path Request45x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoSmtp Censys Tls Capability Probe12x

SMTP interaction identified as an internet-wide scanning probe originating from Censys infrastructure. The client announces itself via EHLO www.censys.io and issues a STARTTLS request to verify TLS upgrade support and collect service capability metadata. This pattern reflects automated reconnaissance and exposure mapping rather than direct exploitation, but still represents active external probing of the SMTP service.

infoHttp Bad Request Route Probe10x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

infoFtp Tls Upgrade7x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

infoHttp Fetch Robots Txt7x

HTTP GET request to /robots.txt.

infoHttps Root Path Request3x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoHttps Path Robots Txt2x

HTTPS request to /robots.txt.

$ sikker primitives 66.132.186.177

elastic_http_get_request113 http_method_get65 docker_get_method42 elastic_http_bad_request_path_probe36 elastic_root_path_probe28 docker_bad_request_uri25 sip_call_id_alphanumeric_entropy17 smtp_ehlo_greeting14 elastic_nodes_enumeration14 elastic_cluster_stats_request14 smtp_ehlo_censys_scanner_identifier14 http_path_bad_request12 smtp_starttls_upgrade_request12 http2_pri_method_probe11 http2_pri_asterisk_probe11 empty_ftp_command10 elastic_http_favicon_path_probe10 ftp_auth_tls7 http_robots_txt_path_probe7 https_path_root4

$ sikker reports 66.132.186.177submit →

Showing 2 of 2 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
Anonymous	May 5, 2026, 12:04	Brute Force	—	SikkerGuard: 8 blocked packets
Anonymous	May 4, 2026, 08:33	Brute Force	—	SikkerGuard: 45 blocked packets

$ sikker related 66.132.186.177

Report IP WHOIS Lookup →

IP Address	Confidence	Events
173.203.50.156	65%	7
72.167.225.241	76%	10,980
172.86.105.127	98%	158
205.179.219.2	89%	95
155.138.210.119	68%	986