Looking up IP
Check an IP Address, Domain Name, Subnet, or ASN
94.102.49.155 has a threat confidence score of 100%. This IP address from The Netherlands (AS202425, IP Volume inc) has been observed in 11,046 honeypot sessions targeting HTTPS, MYSQL, MONGODB, REDIS, SSH and 5 other protocols. First observed on January 20, 2026, most recently active April 18, 2026.
Identifies a MongoDB reconnaissance sequence where an actor initiates legacy authentication negotiation using the getnonce command followed by an isMaster topology discovery request that discloses client metadata for the mgo Go driver on a Linux amd64 system. This pattern reflects automated tooling or scripted clients performing server capability validation, authentication workflow testing, and environment fingerprinting prior to further database interaction.
Client first performs a generic request to the Elasticsearch root endpoint to verify service availability, then proceeds to request /_cat/indices. This sequence reflects staged Elasticsearch reconnaissance where the actor validates that the cluster is reachable before attempting index enumeration and data exposure assessment. Compared to direct index enumeration behaviors, the interaction begins with a service-validation step, suggesting adaptive probing rather than immediate Elasticsearch-specific targeting.
FTP session where the client negotiates binary transfer mode, enters extended passive mode (EPSV), and issues an MLSD command to retrieve a machine-readable directory listing.
FTP session where an empty control-channel command is observed in conjunction with non-printable binary data on the control channel. This pattern reflects malformed or non-FTP-compliant input, commonly seen during TLS handshake attempts on plaintext endpoints, protocol confusion, or automated scanner misfires.
Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.
Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration
Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.
HTTP request using GET method.