47.98.205.94 — Hangzhou Alibaba Advertising Co.,Ltd., CN — Very High (95%)

Check an IP Address, Domain Name, Subnet, or ASN

47.98.205.94 was found in our database!

Confidence Level

95%

Very High?

Geolocation

🇨🇳

ChinaHangzhou

ISPHangzhou Alibaba Advertising Co.,Ltd.

ASNAS37963

Activity Timeline

First seenJan 21, 2026, 12:02 PM

Last seen1d ago

45Sessions

176Events

Protocol Breakdown

REDIS

45 / 176

47.98.205.94 has a very high threat confidence level of 95%, originating from Hangzhou, China, on the Hangzhou Alibaba Advertising Co.,Ltd. network (37963). It has been observed across 45 sessions targeting REDIS, with detected attack patterns including redis full cron persistence exploitation chain, First observed on January 21, 2026, most recently active March 4, 2026.

Behaviors

Classified behavioral patterns observed

Redis Full Cron Persistence Exploitation Chain

very_high5x

Identifies a complete Redis exploitation workflow where an attacker performs configuration introspection, modifies snapshot directory and filename parameters (CONFIG SET dir, CONFIG SET dbfilename), targets system cron directories (e.g., /etc/cron.d, /etc, crontabs), implants scheduled execution payloads (HTTP pipe-to-shell, wget, root cron variants, or obfuscated droppers), and triggers SAVE to write the malicious cron file to disk. This tightly coupled sequence reflects automated host-level persistence establishment via cron injection through misconfigured or unauthenticated Redis services. The behavior captures filesystem redirection, scheduled execution staging, and persistence activation in a single deterministic chain, strongly associated with botnet propagation and cryptomining campaigns.

Redis Info Command Invocation

info4x

Identifies execution of the Redis INFO command (case-insensitive), which retrieves server configuration, version, memory usage, and runtime statistics. This behavior reflects service interrogation and environment fingerprinting activity. While INFO can be used legitimately by administrators, it is also commonly observed during automated scanning and pre-exploitation reconnaissance of exposed Redis instances.

Primitives

Individual actions observed

Redis Save50 Redis Set System Cron Payload40 Redis Set Cron Backdoor Payload40 Redis Config Set Dbfilename Custom40 Redis Flushall20 Redis Config Set Dir Etc10 Redis Config Set Dir Cron10 Redis Command Introspection10 Redis Config Set Dbfilename10 Redis Set Cron Http Pipe Sh10 Redis Set Cron Wget Pipe Sh10 Redis Config Set Dir Crontabs10 Redis Config Set Dir Etc Cron D10 Redis Config Set Dbfilename Root10 Redis Set Cron Root Http Pipe Sh10 Redis Set Cron Root Wget Pipe Sh10 Redis Config Set Dbfilename Httpgd10 Redis Config Set Dbfilename Crontab10 Redis Cron Set Backup4 Root Wd1 Pipe Sh10 Redis Cron Set Backup3 Root Curl Pipe Sh10

Related Threats

Explore related threat intelligence

🇨🇳More threats fromChina ASMore threats fromHangzhou Alibaba Advertising Co.,Ltd.REDISMore threats targetingREDIS { }Browse allAttack Patterns

WHOIS Lookup

IP Address	Confidence	Events
139.129.13.203	86%	27,384
8.154.2.19	100%	1,012
47.117.89.53	83%	793
47.110.252.174	23%	1
47.104.198.108	33%	115

IP Address	Confidence	Events
14.29.185.29	91%	6
124.71.133.200	82%	13
218.92.212.222	80%	13,684
180.184.178.165	100%	616
14.103.84.166	100%	968