91.231.89.2 — ONYPHE SAS, FR — High (63%)

Check an IP Address, Domain Name, Subnet, or ASN

91.231.89.2 was found in our database!

Confidence Level

63%

High?

Geolocation

🇫🇷

FranceGravelines

ISPONYPHE SAS

ASNAS213412

Activity Timeline

First seenJan 20, 2026, 07:08 PM

Last seen1h ago

44Sessions

70Events

Protocol Breakdown

SSH

6 / 9

SMTP

5 / 9

IMAP

6 / 8

SIP

6 / 7

REDIS

1 / 7

HTTP

3 / 6

DOCKER

4 / 6

SMB

3 / 4

RTSP

2 / 4

MONGODB

1 / 3

POSTGRES

3 / 3

FTP

1 / 1

HTTPS

1 / 1

MSSQL

1 / 1

ELASTICSEARCH

1 / 1

91.231.89.2 has a high threat confidence level of 63%, originating from Gravelines, France, on the ONYPHE SAS network (213412). It has been observed across 44 sessions targeting SSH, SMTP, IMAP, SIP, REDIS and 10 other protocols, First observed on January 20, 2026, most recently active March 5, 2026.

Behaviors

Classified behavioral patterns observed

Rtsp Options Probe

low1x

Client sends RTSP OPTIONS requests to check supported methods and confirm that an RTSP service is exposed, then disconnects without attempting authentication or stream setup. This pattern is typically associated with automated reconnaissance or internet-wide scanning rather than active stream access.

Smtp Tls Capability Probe

info2x

Automated SMTP interaction performing a minimal capability check by issuing EHLO followed by a STARTTLS upgrade request and immediately terminating the session. This pattern is commonly associated with internet-wide scanners, security research crawlers, or opportunistic bots verifying whether an SMTP service supports encrypted communication. The absence of authentication attempts or message submission indicates reconnaissance or service fingerprinting rather than active abuse.

Docker Invalid Protocol Probe

info1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

Primitives

Individual actions observed

Smtp Ehlo Greeting5 Smtp Starttls Upgrade Request5 Rtsp Options4 Docker Get Method3 Mongodb Lsid Present3 Http Method Get2 Docker Bad Request Uri1 Elastic Root Path Probe1 Elastic Http Get Request1

Related Threats

Explore related threat intelligence

WHOIS Lookup

IP Address	Confidence	Events
91.231.89.220	57%	43
91.231.89.219	69%	57
91.231.89.25	74%	62
91.231.89.216	81%	101
91.230.168.123	66%	71

IP Address	Confidence	Events
5.39.101.60	100%	10,205
51.91.168.102	99%	517,099
51.83.143.139	90%	48,393
161.97.132.79	98%	56,022
79.137.76.231	100%	324