Check an IP Address, Domain Name, Subnet, or ASN

94.26.88.31 was found in our database!

$ whois 94.26.88.31

country·🇧🇬 Bulgaria

isp·MEVSPACE sp. z o.o.

asn·AS201814

network·Standard

$ sikker risk 94.26.88.31scoring →

confidence

100%Very High

first_seen·Jan 20, 2026

last_seen·1d ago

first_reported·Feb 25, 2026

last_reported·Feb 27, 2026

sessions·4,910

events·7,583

reports·2

$ sikker protocols 94.26.88.31

HTTP

4,756 / 7,429 / 2r

HTTPS

154 / 154

$ sikker summary 94.26.88.31

94.26.88.31 has a threat confidence score of 100%. This IP address from Bulgaria (AS201814, MEVSPACE sp. z o.o.) has been observed in 4,910 honeypot sessions and reported 2 times targeting HTTP, HTTPS protocols. Detected attack patterns include https dotenv environment file exposure probe, http git repository config exposure probe. First observed on January 20, 2026, most recently active April 13, 2026.

$ sikker behaviors 94.26.88.31catalog →

highHttps Dotenv Environment File Exposure Probe67x

Identifies an HTTPS request targeting a .env file in the web root or application directory. Access attempts to /.env indicate automated scanning for exposed environment configuration files that may contain application secrets, database credentials, API keys, or cloud tokens. This probe is commonly associated with opportunistic internet-wide scanning for misconfigured web deployments.

highHttp Git Repository Config Exposure Probe25x

Identifies HTTP GET requests targeting /.git/config, indicating attempts to access exposed Git repository configuration files. Successful access may enable repository reconstruction, credential harvesting, or source code disclosure.

mediumHttps Dotgit Repository Configuration Exposure Probe68x

Identifies an HTTPS request targeting the .git/config file within a web-accessible repository directory. Access attempts to /.git/config indicate automated repository exposure scanning intended to retrieve remote origin URLs, repository structure, and potentially credential-bearing configuration data. This is a common reconnaissance technique used to identify misconfigured web servers exposing version control metadata.

infoHttp Http Method Get467x

HTTP request using GET method.

infoHttp Root Path Request467x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

$ sikker primitives 94.26.88.31

http_method_get606 https_path_dotenv69 https_path_dotgit_config68 http_git_head_file_access36 http_path_dotgit_config26 https_path_root3 https_path_dotenv_local2 https_path_robots_txt1 https_path_config_json1 https_path_dotenv_staging1 https_index_php_root_request1 https_path_dotenv_production1 https_path_dotenv_development1

$ sikker reports 94.26.88.31submit →

Showing 2 of 2 reports from 1 contributor

Reporter	Date	Category	Protocol	Comment
User	Feb 27, 2026, 16:07	Brute Force	HTTP	SikkerGuard: 2 blocked packets
User	Feb 25, 2026, 18:45	Brute Force	HTTP	SikkerGuard: 16 blocked packets

$ sikker related 94.26.88.31

🇧🇬·More threats fromBulgaria→AS·More threats fromMEVSPACE sp. z o.o.→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
185.16.39.146	89%	21,322
149.50.107.12	97%	18,152
94.26.88.32	100%	6,736
94.26.68.91	60%	62
95.214.53.42	86%	159

IP Address	Confidence	Events
85.11.167.11	87%	6,723
195.178.110.26	100%	13,548
195.178.110.30	100%	422,184
78.128.112.114	97%	20,344
77.77.8.48	91%	36