Identifies Redis configuration abuse where an attacker modifies dir and dbfilename to write a malicious cron job to system cron directories, disables write protections, saves the database to disk, and achieves persistence via scheduled command execution (often using wget/curl pipe-to-sh patterns).

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.