Redis Config Cron Persistence Via Save

Identifies Redis configuration abuse where an attacker modifies dir and dbfilename to write a malicious cron job to system cron directories, disables write protections, saves the database to disk, and achieves persistence via scheduled command execution (often using wget/curl pipe-to-sh patterns).

Observed IPs

Avg Confidence

92%

Severity

critical

Top IPs by event countREDIS

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
114.80.35.241	99%	529	186	🇨🇳 CN	AS4811	2026-03-05
106.227.11.236	99%	499	111	🇨🇳 CN	AS134238	2026-03-05
106.75.241.127	99%	215	47	🇨🇳 CN	AS17621	2026-03-05
123.56.141.52	95%	190	48	🇨🇳 CN	AS37963	2026-02-26
39.107.103.199	96%	176	26	🇨🇳 CN	AS37963	2026-03-04
101.200.120.136	87%	144	16	🇨🇳 CN	AS37963	2026-02-03
8.142.178.14	96%	135	29	🇨🇳 CN	AS37963	2026-03-05
106.15.64.156	88%	133	35	🇨🇳 CN	AS37963	2026-03-05
8.140.150.7	94%	105	47	🇨🇳 CN	AS37963	2026-03-04
39.107.95.100	95%	95	34	🇨🇳 CN	AS37963	2026-03-02
47.236.24.189	95%	72	48	🇸🇬 SG	AS45102	2026-03-04
36.135.17.52	76%	44	10	🇨🇳 CN	AS134810	2026-03-05
47.97.229.80	75%	24	18	🇨🇳 CN	AS37963	2026-03-03