Check an IP Address, Domain Name, Subnet, or ASN

91.196.152.151 was found in our database!

$ whois 91.196.152.151

country·🇫🇷 France

city·Roubaix

isp·ONYPHE SAS

asn·AS213412

network·Standard

$ sikker risk 91.196.152.151scoring →

confidence

83%Very High

first_seen·Jan 23, 2026

last_seen·1h ago

first_reported·Mar 3, 2026

last_reported·2d ago

sessions·49

events·76

reports·7

$ sikker protocols 91.196.152.151

FTP

3 / 12 / 2r

SSH

7 / 9 / 1r

HTTP

4 / 8

SIP

6 / 7

REDIS

1 / 6

IMAP

4 / 5

HTTPS

4 / 5

TELNET

3 / 4 / 1r

MONGODB

3 / 4

WINRM

1 / 3

DOCKER

3 / 3

ELASTICSEARCH

3 / 3

SMB

2 / 2 / 1r

MSSQL

2 / 2

RTSP

1 / 1 / 1r

POSTGRES

1 / 1 / 1r

SMTP

1 / 1

$ sikker summary 91.196.152.151

91.196.152.151 has a threat confidence score of 83%. This IP address from France (AS213412, ONYPHE SAS) has been observed in 49 honeypot sessions and reported 7 times targeting FTP, SSH, HTTP, SIP, REDIS and 12 other protocols. First observed on January 23, 2026, most recently active March 23, 2026.

$ sikker behaviors 91.196.152.151catalog →

lowFtp Control Channel Protocol Anomaly1x

FTP session where an empty control-channel command is observed in conjunction with non-printable binary data on the control channel. This pattern reflects malformed or non-FTP-compliant input, commonly seen during TLS handshake attempts on plaintext endpoints, protocol confusion, or automated scanner misfires.

infoHttps Root Path Request2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoHttp Bad Request Route Probe1x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

infoFtp Tls Negotiation And Disconnect1x

FTP session where the client issues AUTH TLS to upgrade the connection to TLS and then terminates the session with QUIT without performing further commands. This reflects minimal interaction limited to encryption negotiation and immediate disconnect, commonly observed in capability testing or automated probing.

$ sikker primitives 91.196.152.151

docker_get_method3 elastic_http_get_request3 https_path_root2 elastic_http_favicon_path_probe2 ftp_control_channel_binary_payload2 ftp_auth_tls1 http_method_get1 ftp_session_quit1 empty_ftp_command1 smtp_ehlo_greeting1 http_path_bad_request1 elastic_http_bad_request_path_probe1

$ sikker reports 91.196.152.151submit →

Showing 5 of 7 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 21, 2026, 04:45	Brute Force	TELNET	SikkerGuard: 2 blocked packets
User	Mar 20, 2026, 22:31	Brute Force	SSH	SikkerGuard: 2 blocked packets
User	Mar 20, 2026, 16:17	Brute Force	FTP	SikkerGuard: 2 blocked packets
User	Mar 20, 2026, 09:58	Brute Force	FTP	SikkerGuard: 2 blocked packets
User	Mar 16, 2026, 04:46	Brute Force	SMB	SikkerGuard: 2 blocked packets

1 / 2

$ sikker related 91.196.152.151

Report IP WHOIS Lookup →

IP Address	Confidence	Events
91.231.89.130	67%	81
91.196.152.193	60%	32
91.196.152.196	50%	21
91.230.168.79	87%	90
91.196.152.239	62%	47

IP Address	Confidence	Events
54.38.41.116	87%	30,068
51.91.168.102	99%	640,072
90.127.73.244	64%	988
161.97.132.79	98%	63,924
80.13.153.140	99%	5,244