Check an IP Address, Domain Name, Subnet, or ASN

209.15.113.94 was found in our database!

$ whois 209.15.113.94

country·🇹🇭 Thailand

isp·National Telecom Public Company Limited

asn·AS135566

network·Standard

$ sikker risk 209.15.113.94scoring →

confidence

96%Very High

first_seen·Mar 13, 2026

last_seen·1h ago

sessions·31

events·31

$ sikker protocols 209.15.113.94

REDIS

23 / 23

HTTP

4 / 4

HTTPS

4 / 4

$ sikker summary 209.15.113.94

209.15.113.94 has a threat confidence score of 96%. This IP address from Thailand (AS135566, National Telecom Public Company Limited) has been observed in 31 honeypot sessions targeting REDIS, HTTP, HTTPS protocols. Detected attack patterns include redis cron persistence direct config abuse. First observed on March 13, 2026, most recently active March 20, 2026.

$ sikker behaviors 209.15.113.94catalog →

very_highRedis Cron Persistence Direct Config Abuse4x

Detects direct Redis configuration abuse where an exposed instance is reconfigured to write malicious cron entries (including root-executed variants using curl or wget-style binaries), followed by SAVE/FLUSHALL to persist the cron file to disk. This behavior identifies automated cron-based persistence and recurring remote code execution without requiring prior reconnaissance commands.

infoRedis Info Command Invocation9x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

infoHttp Root Path Request2x

Identifies HTTP requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration.

infoHttps Root Path Request2x

Identifies HTTPS requests targeting the web server root path ("/"), typically used for initial service discovery, host validation, or baseline content inspection prior to deeper enumeration

$ sikker primitives 209.15.113.94

redis_save50 redis_config_set_dbfilename_custom40 redis_flushall20 redis_info_lowercase12 redis_config_set_dir_etc10 redis_config_set_dir_cron10 redis_config_set_dbfilename10 redis_set_cron_http_pipe_sh10 redis_set_cron_wget_pipe_sh10 redis_config_set_dir_crontabs10 redis_config_set_dir_etc_cron_d10 redis_config_set_dbfilename_root10 redis_set_cron_root_http_pipe_sh10 redis_set_cron_root_wget_pipe_sh10 redis_cron_set_backup4_wd1_pipe_sh10 redis_config_set_dbfilename_crontab10 redis_cron_set_backup3_curl_kworker_sh10 redis_cron_set_backup4_root_wd1_pipe_sh10 redis_cron_set_backup3_root_curl_pipe_sh10 redis_config_set_stop_writes_on_bgsave_error10

$ sikker related 209.15.113.94

🇹🇭·More threats fromThailand→AS·More threats fromNational Telecom Public Company Limited→REDI·More threats targetingREDIS→HTTP·More threats targetingHTTP→HTTP·More threats targetingHTTPS→{ }·Browse allAttack Patterns→

Report IP WHOIS Lookup →

IP Address	Confidence	Events
209.15.110.13	100%	7,916
209.15.110.23	100%	7,640
209.15.116.54	79%	46
209.15.115.204	99%	76
209.15.115.188	56%	17

IP Address	Confidence	Events
112.121.151.84	87%	2,097
203.188.229.81	94%	39
150.109.186.71	96%	943
43.173.247.235	96%	826
165.101.64.90	95%	547