Check an IP Address, Domain Name, Subnet, or ASN

159.89.119.50 was found in our database!

$ whois 159.89.119.50

country·🇨🇦 Canada

city·Toronto

isp·DigitalOcean, LLC

asn·AS14061

network·Standard

$ sikker risk 159.89.119.50scoring →

confidence

92%Very High

first_seen·Feb 27, 2026

last_seen·1h ago

sessions·21

events·21

$ sikker protocols 159.89.119.50

REDIS

11 / 11

HTTP

4 / 4

HTTPS

2 / 2

IMAP

1 / 1

SMTP

1 / 1

MONGODB

1 / 1

POSTGRES

1 / 1

$ sikker summary 159.89.119.50

159.89.119.50 has a threat confidence score of 92%. This IP address from Canada (AS14061, DigitalOcean, LLC) has been observed in 21 honeypot sessions targeting REDIS, HTTP, HTTPS, IMAP, SMTP and 2 other protocols. Detected attack patterns include redis cron persistence direct config abuse. First observed on February 27, 2026, most recently active April 26, 2026.

$ sikker behaviors 159.89.119.50catalog →

very_highRedis Cron Persistence Direct Config Abuse2x

Detects direct Redis configuration abuse where an exposed instance is reconfigured to write malicious cron entries (including root-executed variants using curl or wget-style binaries), followed by SAVE/FLUSHALL to persist the cron file to disk. This behavior identifies automated cron-based persistence and recurring remote code execution without requiring prior reconnaissance commands.

infoHttp Root Path Request3x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttp Http Method Get2x

HTTP request using GET method.

infoHttp Fetch Robots Txt1x

HTTP GET request to /robots.txt.

infoHttps Root Path Request1x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

infoSmtp Tls Capability Probe1x

Automated SMTP interaction performing a minimal capability check by issuing EHLO followed by a STARTTLS upgrade request and immediately terminating the session. This pattern is commonly associated with internet-wide scanners, security research crawlers, or opportunistic bots verifying whether an SMTP service supports encrypted communication. The absence of authentication attempts or message submission indicates reconnaissance or service fingerprinting rather than active abuse.

$ sikker primitives 159.89.119.50

redis_save15 redis_config_set_dbfilename_custom12 redis_flushall6 http_method_get3 redis_config_set_dir_etc3 redis_config_set_dir_cron3 redis_config_set_dbfilename3 redis_set_cron_http_pipe_sh3 redis_set_cron_wget_pipe_sh3 redis_config_set_dir_crontabs3 redis_config_set_dir_etc_cron_d3 redis_config_set_dbfilename_root3 redis_set_cron_root_http_pipe_sh3 redis_set_cron_root_wget_pipe_sh3 redis_cron_set_backup4_wd1_pipe_sh3 redis_config_set_dbfilename_crontab3 redis_cron_set_backup3_curl_kworker_sh3 redis_cron_set_backup4_root_wd1_pipe_sh3 redis_cron_set_backup3_root_curl_pipe_sh3 redis_config_set_stop_writes_on_bgsave_error3

$ sikker related 159.89.119.50

🇨🇦·More threats fromCanada→AS·More threats fromDigitalOcean, LLC→REDI·More threats targetingREDIS→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→IMAP·More threats targetingIMAP→SMTP·More threats targetingSMTP→MONG·More threats targetingMONGODB→POST·More threats targetingPOSTGRES→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
134.209.148.26	23%	1
157.245.61.162	36%	1
168.144.32.172	85%	284
142.93.145.126	95%	2,317
161.35.209.125	84%	69

IP Address	Confidence	Events
20.116.232.29	100%	330
66.179.10.139	97%	663
72.251.5.157	82%	2,041
149.56.155.187	97%	9,574
20.175.198.186	99%	156