Redis Config Set Dbfilename Custom

Detects a Redis CONFIG SET dbfilename <name> command where the RDB snapshot filename is changed to a custom value (e.g., zzh). This behavior is commonly observed during Redis exploitation chains, where an attacker first modifies the working directory (e.g., to /etc/cron.d, /root/.ssh/, or /var/spool/cron/) and then changes the dump filename so that a subsequent SAVE or BGSAVE writes attacker-controlled content to a sensitive path. On its own, changing dbfilename indicates preparatory filesystem manipulation. In sequence with CONFIG SET dir and SAVE, it strongly signals an attempt to achieve persistence or privilege escalation via cron job injection or SSH authorized_keys overwrite.

Observed IPs

483

Avg Confidence

74%

Protocol

REDIS

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
46.19.137.194	97%	22,609	9,136	🇨🇭 CH	AS51852	2026-03-05
183.56.243.176	89%	5,448	365	🇨🇳 CN	AS135089	2026-03-05
36.112.94.94	84%	4,158	2,244	🇨🇳 CN	AS4847	2026-02-26
180.149.32.80	97%	3,225	490	🇺🇸 US	AS25846	2026-02-09
101.206.108.14	100%	2,548	740	🇨🇳 CN	AS4837	2026-03-05
9.169.195.91	79%	2,076	213	🇺🇸 US	AS8075	2026-02-18
221.130.29.85	88%	1,684	593	🇨🇳 CN	AS56046	2026-03-04
14.116.219.149	85%	1,399	376	🇨🇳 CN	AS58466	2026-03-04
74.50.81.220	99%	1,231	160	🇺🇸 US	AS19318	2026-03-05
97.74.92.144	87%	1,196	293	🇺🇸 US	AS26496	2026-03-05
182.40.103.253	100%	1,114	161	🇨🇳 CN	AS136195	2026-03-05
64.20.44.213	93%	1,086	74	🇺🇸 US	AS19318	2026-02-07
157.230.101.158	77%	1,082	324	🇩🇪 DE	AS14061	2026-03-05
138.68.169.168	100%	1,026	193	🇬🇧 GB	AS14061	2026-03-05
121.30.192.44	77%	924	304	🇨🇳 CN	AS4837	2026-03-05
113.214.18.234	100%	902	363	🇨🇳 CN	AS24139	2026-03-04
84.247.137.164	100%	881	107	🇫🇷 FR	AS51167	2026-02-23
143.198.113.180	83%	879	79	🇺🇸 US	AS14061	2026-02-21
139.198.30.179	64%	860	120	🇨🇳 CN	AS59078	2026-03-03
39.105.202.192	84%	828	283	🇨🇳 CN	AS37963	2026-03-04

Loading threats