Check an IP Address, Domain Name, Subnet, or ASN

91.230.168.109 was found in our database!

$ whois 91.230.168.109

country·🇺🇸 United States

city·Hillsboro

isp·ONYPHE SAS

asn·AS213412

network·Standard

$ sikker risk 91.230.168.109scoring →

confidence

73%High

first_seen·Jan 20, 2026

last_seen·1h ago

sessions·58

events·98

$ sikker protocols 91.230.168.109

SIP

6 / 17

SSH

9 / 15

HTTP

11 / 15

SMTP

4 / 10

REDIS

2 / 8

HTTPS

4 / 6

SMB

5 / 5

IMAP

3 / 4

DOCKER

4 / 4

MONGODB

1 / 3

RTSP

2 / 2

MSSQL

2 / 2

TR069

1 / 2

WINRM

1 / 2

ELASTICSEARCH

2 / 2

TELNET

1 / 1

$ sikker summary 91.230.168.109

91.230.168.109 has a threat confidence score of 73%. This IP address from United States (AS213412, ONYPHE SAS) has been observed in 58 honeypot sessions targeting SIP, SSH, HTTP, SMTP, REDIS and 11 other protocols. First observed on January 20, 2026, most recently active March 17, 2026.

$ sikker behaviors 91.230.168.109catalog →

infoHttp Root Path Request5x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoSmtp Tls Capability Probe3x

Automated SMTP interaction performing a minimal capability check by issuing EHLO followed by a STARTTLS upgrade request and immediately terminating the session. This pattern is commonly associated with internet-wide scanners, security research crawlers, or opportunistic bots verifying whether an SMTP service supports encrypted communication. The absence of authentication attempts or message submission indicates reconnaissance or service fingerprinting rather than active abuse.

infoDocker Invalid Protocol Probe2x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoHttp Bad Request Route Probe1x

Identifies HTTP GET requests directly targeting the /bad-request path, indicating automated or manual probing of application error-handling routes rather than legitimate navigation flow.

$ sikker primitives 91.230.168.109

smtp_ehlo_greeting9 smtp_starttls_upgrade_request9 http_method_get6 docker_get_method5 mongodb_lsid_present3 docker_bad_request_uri3 elastic_http_get_request2 rtsp_options1 https_path_root1 http_path_bad_request1 elastic_http_favicon_path_probe1 elastic_http_bad_request_path_probe1

$ sikker related 91.230.168.109

Report IP WHOIS Lookup →

IP Address	Confidence	Events
91.196.152.149	70%	58
91.196.152.146	64%	77
94.231.206.35	71%	132
94.231.206.108	74%	175
91.231.89.133	51%	70

IP Address	Confidence	Events
142.93.60.252	95%	56
18.218.118.203	100%	29,011
87.121.84.76	91%	862
184.170.245.145	41%	286
3.129.187.38	100%	26,669