Check an IP Address, Domain Name, Subnet, or ASN

91.132.160.202 was found in our database!

$ whois 91.132.160.202

country·🇩🇪 Germany

city·Frankfurt am Main

isp·Senko Digital LLC

asn·AS213520

network·Standard

$ sikker risk 91.132.160.202scoring →

confidence

95%Very High

first_seen·Feb 21, 2026

last_seen·10d ago

sessions·11

events·19

$ sikker protocols 91.132.160.202

SSH

8 / 16

HTTP

1 / 1

HTTPS

1 / 1

DOCKER

1 / 1

$ sikker summary 91.132.160.202

91.132.160.202 has a threat confidence score of 95%. This IP address from Germany (AS213520, Senko Digital LLC) has been observed in 11 honeypot sessions targeting SSH, HTTP, HTTPS, DOCKER protocols. Detected attack patterns include ssh authorized keys persistence established, ssh automated post compromise recon and persistence chain, http mass web rce exploitation scanning. First observed on February 21, 2026, most recently active March 18, 2026.

$ sikker behaviors 91.132.160.202catalog →

very_highSsh Authorized Keys Persistence Established1x

Removal of filesystem attribute protections from the user’s .ssh directory followed by deletion and recreation of the directory and insertion of a new public key into authorized_keys. This pattern reflects deliberate modification of SSH trust configuration to establish persistent key-based access.

very_highSsh Automated Post Compromise Recon And Persistence Chain1x

Identifies an SSH session performing comprehensive automated host reconnaissance (CPU, memory, disk, processes, users), followed by credential modification and SSH key manipulation consistent with scripted post-compromise takeover and persistence establishment.

highHttp Mass Web Rce Exploitation Scanning1x

Coordinated automated exploitation attempts targeting public-facing web services, including PHPUnit eval-stdin access, PHP-CGI argument injection, Docker API exposure, directory traversal, ThinkPHP invokeFunction abuse, and command execution patterns (wget/curl pipe to shell). Identifies opportunistic bot-driven RCE scanning and framework-specific exploit chaining against internet-exposed applications.

$ sikker primitives 91.132.160.202

http_method_get42 http_php_echo_md5_hello_phpunit_marker37 docker_post_method3 docker_container_exec_path2 ssh_authorized_keys_replacement_home2 http_body_wget_curl_pipe_to_sh_selfrep2 https_query_thinkphp_invokefunction_md5_probe2 https_body_wget_curl_pipe_to_sh_apache_selfrep2 http_thinkphp_invokefunction_call_user_func_array_md52 unix_home_ssh_directory_attribute_modification_attempt2 http_php_cgi_allow_url_include_auto_prepend_input_injection2 https_php_ini_directive_injection_allow_url_include_auto_prepend_file2 ssh_uname_all1 https_path_root1 docker_get_method1 ssh_whoami_user_identity1 docker_exec_start_endpoint1 ssh_uname_basic_invocation1 ssh_lscpu_model_field_filter1 ssh_cpuinfo_name_count_via_wc1

$ sikker related 91.132.160.202

🇩🇪·More threats fromGermany→AS·More threats fromSenko Digital LLC→SSH·More threats targetingSSH→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→DOCK·More threats targetingDOCKER→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
144.31.233.230	61%	28
64.188.106.84	65%	5
77.239.121.131	35%	1
144.31.62.92	37%	1
144.31.232.195	74%	7

IP Address	Confidence	Events
104.194.158.45	94%	20,655
87.106.147.36	99%	260,778
176.65.132.107	100%	477
165.227.162.221	100%	758
89.163.204.62	88%	80,597