Check an IP Address, Domain Name, Subnet, or ASN

136.144.253.66 was found in our database!

$ whois 136.144.253.66

country·🇳🇱 The Netherlands

city·Assendelft

isp·Signet B.V.

asn·AS20857

network·Standard

$ sikker risk 136.144.253.66scoring →

confidence

100%Very High

first_seen·Mar 27, 2026

last_seen·7d ago

sessions·66

events·66

$ sikker protocols 136.144.253.66

REDIS

66 / 66

$ sikker summary 136.144.253.66

136.144.253.66 has a threat confidence score of 100%. This IP address from The Netherlands (AS20857, Signet B.V.) has been observed in 66 honeypot sessions targeting REDIS protocols. Detected attack patterns include redis cron persistence multi variant payload, redis cron persistence direct config abuse. First observed on March 27, 2026, most recently active April 13, 2026.

$ sikker behaviors 136.144.253.66catalog →

very_highRedis Cron Persistence Multi Variant Payload10x

Detects Redis configuration abuse where an exposed instance is reconfigured to write cron entries that execute remote payloads via curl or wget/variant binaries (including root-executed variants), followed by SAVE to persist the malicious cron file to disk. Covers multiple backup job names and pipe-to-shell download techniques used for automated persistence and recurring remote code execution.

very_highRedis Cron Persistence Direct Config Abuse6x

Detects direct Redis configuration abuse where an exposed instance is reconfigured to write malicious cron entries (including root-executed variants using curl or wget-style binaries), followed by SAVE/FLUSHALL to persist the cron file to disk. This behavior identifies automated cron-based persistence and recurring remote code execution without requiring prior reconnaissance commands.

infoRedis Info Command Invocation19x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

$ sikker primitives 136.144.253.66

redis_save128 redis_config_set_dbfilename_custom103 redis_flushall52 redis_info_lowercase37 redis_config_set_dir_etc26 redis_config_set_dir_cron26 redis_config_set_dbfilename26 redis_set_cron_http_pipe_sh26 redis_set_cron_wget_pipe_sh26 redis_config_set_dir_crontabs26 redis_config_set_dbfilename_root26 redis_set_cron_root_http_pipe_sh26 redis_cron_set_backup4_wd1_pipe_sh26 redis_cron_set_backup3_curl_kworker_sh26 redis_cron_set_backup4_root_wd1_pipe_sh26 redis_cron_set_backup3_root_curl_pipe_sh26 redis_config_set_stop_writes_on_bgsave_error26 redis_config_set_dir_etc_cron_d25 redis_set_cron_root_wget_pipe_sh25 redis_config_set_dbfilename_crontab25

$ sikker related 136.144.253.66

🇳🇱·More threats fromThe Netherlands→AS·More threats fromSignet B.V.→REDI·More threats targetingREDIS→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
37.97.223.86	74%	132
149.210.235.123	87%	24
136.144.199.172	91%	6
136.144.178.135	29%	24
37.97.201.75	23%	1

IP Address	Confidence	Events
62.164.177.27	97%	29,697
45.148.10.192	100%	38,895
37.97.223.86	74%	133
45.148.10.183	100%	14,763
204.76.203.206	90%	22,730