Check an IP Address, Domain Name, Subnet, or ASN

91.231.89.70 was found in our database!

$ whois 91.231.89.70

country·🇫🇷 France

city·Gravelines

isp·ONYPHE SAS

asn·AS213412

network·Standard

$ sikker risk 91.231.89.70scoring →

confidence

71%High

first_seen·Jan 21, 2026

last_seen·2h ago

sessions·76

events·109

$ sikker protocols 91.231.89.70

IMAP

12 / 18

SSH

11 / 16

FTP

5 / 15

SIP

8 / 8

HTTP

6 / 8

HTTPS

6 / 7

SMB

5 / 6

DOCKER

4 / 6

TELNET

4 / 6

POSTGRES

5 / 5

ELASTICSEARCH

4 / 4

WINRM

1 / 3

MONGODB

1 / 3

RDP

2 / 2

REDIS

2 / 2

$ sikker summary 91.231.89.70

91.231.89.70 has a threat confidence score of 71%. This IP address from France (AS213412, ONYPHE SAS) has been observed in 76 honeypot sessions targeting IMAP, SSH, FTP, SIP, HTTP and 10 other protocols. First observed on January 21, 2026, most recently active April 2, 2026.

$ sikker behaviors 91.231.89.70catalog →

infoHttp Root Path Request2x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoFtp Tls Negotiation And Disconnect2x

FTP session where the client issues AUTH TLS to upgrade the connection to TLS and then terminates the session with QUIT without performing further commands. This reflects minimal interaction limited to encryption negotiation and immediate disconnect, commonly observed in capability testing or automated probing.

infoFtp Tls Upgrade1x

FTP session where the client issues AUTH TLS to upgrade the connection to Transport Layer Security. This reflects protocol-level encryption negotiation prior to further interaction.

infoDocker Invalid Protocol Probe1x

Client repeatedly sends GET requests to the /bad-request Docker API endpoint, indicating malformed or incompatible traffic against the Docker daemon. This pattern is typically associated with generic internet scanning or tools attempting HTTP interaction without speaking the proper Docker API protocol.

$ sikker primitives 91.231.89.70

docker_get_method5 elastic_http_get_request4 mongodb_lsid_present3 ftp_auth_tls2 http_method_get2 https_path_root2 ftp_session_quit2 docker_bad_request_uri2 elastic_root_path_probe2 elastic_http_bad_request_path_probe2 empty_ftp_command1 redis_command_http_connection_close1

$ sikker related 91.231.89.70

Report IP WHOIS Lookup →

IP Address	Confidence	Events
91.230.168.54	52%	22
91.230.168.160	72%	81
91.230.168.38	81%	117
91.231.89.196	76%	92
91.231.89.193	76%	93

IP Address	Confidence	Events
54.38.94.109	98%	53,863
5.39.101.60	100%	64,708
137.74.16.122	96%	220
51.91.168.102	99%	692,891
54.38.41.116	86%	38,089