Check an IP Address, Domain Name, Subnet, or ASN

91.231.89.141 was found in our database!

$ whois 91.231.89.141

country·🇫🇷 France

city·Gravelines

isp·ONYPHE SAS

asn·AS213412

network·Standard

$ sikker risk 91.231.89.141scoring →

confidence

80%Very High

first_seen·Jan 21, 2026

last_seen·45m ago

first_reported·Mar 3, 2026

last_reported·11h ago

sessions·56

events·77

reports·3

$ sikker protocols 91.231.89.141

FTP

3 / 13

SSH

9 / 13

SMTP

7 / 8

DOCKER

3 / 5 / 3r

ELASTICSEARCH

6 / 6

SIP

4 / 5

IMAP

3 / 5

POSTGRES

4 / 5

SMB

4 / 4

HTTP

4 / 4

TELNET

4 / 4

REDIS

3 / 3

RTSP

1 / 1

HTTPS

1 / 1

$ sikker summary 91.231.89.141

91.231.89.141 has a threat confidence score of 80%. This IP address from France (AS213412, ONYPHE SAS) has been observed in 56 honeypot sessions and reported 3 times targeting FTP, SSH, SMTP, DOCKER, ELASTICSEARCH and 9 other protocols. First observed on January 21, 2026, most recently active March 17, 2026.

$ sikker behaviors 91.231.89.141catalog →

lowRtsp Options Probe1x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

lowFtp Control Channel Protocol Anomaly1x

FTP session where an empty control-channel command is observed in conjunction with non-printable binary data on the control channel. This pattern reflects malformed or non-FTP-compliant input, commonly seen during TLS handshake attempts on plaintext endpoints, protocol confusion, or automated scanner misfires.

infoSmtp Tls Capability Probe1x

Automated SMTP interaction performing a minimal capability check by issuing EHLO followed by a STARTTLS upgrade request and immediately terminating the session. This pattern is commonly associated with internet-wide scanners, security research crawlers, or opportunistic bots verifying whether an SMTP service supports encrypted communication. The absence of authentication attempts or message submission indicates reconnaissance or service fingerprinting rather than active abuse.

$ sikker primitives 91.231.89.141

elastic_http_get_request6 docker_get_method3 ftp_control_channel_binary_payload3 elastic_http_bad_request_path_probe3 http_method_get2 empty_ftp_command2 smtp_ehlo_greeting2 elastic_root_path_probe2 redis_command_http_connection_close2 rtsp_options1 http_path_bad_request1 smtp_starttls_upgrade_request1 elastic_http_favicon_path_probe1

$ sikker reports 91.231.89.141submit →

Showing 3 of 3 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Mar 17, 2026, 09:08	Brute Force	DOCKER	SikkerGuard: 2 blocked packets
User	Mar 10, 2026, 17:53	Brute Force	DOCKER	SikkerGuard: 2 blocked packets
User	Mar 3, 2026, 12:10	Brute Force	DOCKER	SikkerGuard: 2 blocked packets

$ sikker related 91.231.89.141

Report IP WHOIS Lookup →

IP Address	Confidence	Events
91.230.168.169	74%	71
91.230.168.172	71%	78
91.196.152.228	66%	66
91.196.152.159	78%	81
94.231.206.8	76%	157

IP Address	Confidence	Events
54.38.41.116	87%	16,939
51.91.168.102	99%	610,137
138.124.31.169	26%	32
92.205.56.196	100%	683
51.83.143.139	90%	65,903