Check an IP Address, Domain Name, Subnet, or ASN

71.6.135.131 was found in our database!

$ whois 71.6.135.131

country·🇺🇸 United States

isp·CariNet, Inc.

asn·AS10439

network·Standard

$ sikker risk 71.6.135.131scoring →

confidence

100%Very High

first_seen·Jan 20, 2026

last_seen·7h ago

first_reported·Feb 27, 2026

last_reported·29d ago

sessions·2,672

events·3,792

reports·4

$ sikker protocols 71.6.135.131

SMTP

583 / 1,147

HTTPS

665 / 798

FTP

413 / 466

IMAP

283 / 350

HTTP

112 / 173 / 1r

TELNET

130 / 165

RDP

107 / 107

POSTGRES

83 / 101

SSH

81 / 96 / 1r

SMB

33 / 89 / 1r

MONGODB

34 / 62

DOCKER

31 / 53

REDIS

24 / 40

RTSP

24 / 36 / 1r

WINRM

16 / 34

MSSQL

28 / 28

SIP

12 / 24

ELASTICSEARCH

13 / 23

$ sikker summary 71.6.135.131

71.6.135.131 has a threat confidence score of 100%. This IP address from United States (AS10439, CariNet, Inc.) has been observed in 2,672 honeypot sessions and reported 4 times targeting SMTP, HTTPS, FTP, IMAP, HTTP and 13 other protocols. First observed on January 20, 2026, most recently active April 15, 2026.

$ sikker behaviors 71.6.135.131catalog →

mediumRdp Legacy Plaintext Authentication Attempt25x

Identifies RDP clients attempting authentication using the legacy RDP security mode where credentials are exchanged through the older RDP security layer instead of Network Level Authentication (NLA). This indicates the client negotiated legacy plaintext authentication during the RDP security handshake

mediumRedis Structured Service Enumeration17x

Identifies coordinated Redis service reconnaissance consisting of INFO retrieval, CLIENT LIST enumeration of connected peers, and incremental keyspace iteration via SCAN. This tightly grouped pattern reflects automated or manual post-access mapping of server configuration, active clients, and stored keyspace structure. The sequence indicates structured environment profiling prior to potential data extraction or exploitation.

mediumSip Request Uri Sip Nm5x

SIP request using sip:nm as the Request-URI, a malformed or placeholder target commonly observed in SIP scanning and fuzzing activity rather than legitimate client behavior.

lowRtsp Options Probe20x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

infoSmtp Tls Capability Probe63x

Automated SMTP interaction performing a minimal capability check by issuing EHLO followed by a STARTTLS upgrade request and immediately terminating the session. This pattern is commonly associated with internet-wide scanners, security research crawlers, or opportunistic bots verifying whether an SMTP service supports encrypted communication. The absence of authentication attempts or message submission indicates reconnaissance or service fingerprinting rather than active abuse.

infoFtp Tls Upgrade29x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

infoHttps Path Robots Txt11x

HTTPS request to /robots.txt.

infoDocker Invalid Protocol Probe6x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

infoHttp Root Path Request5x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request5x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 71.6.135.131

empty_ftp_command324 smtp_ehlo_greeting124 smtp_starttls_upgrade_request106 smb_root_read99 docker_get_method95 ftp_auth_tls72 elastic_http_get_request61 ftp_user_probe42 ftp_password_attempt42 ftp_help_request41 ftp_feature_list_request41 rtsp_options36 docker_bad_request_uri34 rdp_legacy_plaintext_authenthication25 smb_srvsvc_rpc_bind18 redis_info_uppercase17 redis_scan_cursor_iteration17 redis_client_list_enumeration17 elastic_root_path_probe13 elastic_nodes_enumeration12

$ sikker reports 71.6.135.131submit →

Showing 4 of 4 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 17, 2026, 13:16	Brute Force	RTSP	SikkerGuard: 2 blocked packets
User	Mar 4, 2026, 20:41	Brute Force	HTTP	SikkerGuard: 2 blocked packets
User	Mar 1, 2026, 10:15	Brute Force	SMB	SikkerGuard: 2 blocked packets
User	Feb 27, 2026, 19:17	Brute Force	SSH	SikkerGuard: 2 blocked packets

$ sikker related 71.6.135.131

Report IP WHOIS Lookup →

IP Address	Confidence	Events
71.6.232.30	100%	1,426
71.6.165.200	100%	1,454
71.6.199.65	100%	2,403
71.6.199.23	100%	5,027
71.6.199.87	100%	1,454

IP Address	Confidence	Events
66.240.192.138	100%	2,334
212.162.151.134	94%	799
73.1.253.194	95%	1,059
66.132.172.103	100%	605
34.42.70.70	93%	798