Loading threats
Sets a Redis-backed cron entry named backup3 with a 4-minute execution interval that fetches a remote payload from http://*.*.*.*/plugins-dist/safehtml/lang/font/kworker using curl -fsSL and immediately pipes it to sh for execution, indicating automated remote code execution and persistence via cron.
| IP Address | Risk | Events | Sessions | Country | ASN | Last Seen |
|---|---|---|---|---|---|---|
| 97.74.92.144 | 100% | 1,792 | 854 | 🇺🇸 US | AS26496 | 2026-04-19 |
| 157.230.101.158 | 100% | 1,529 | 771 | 🇩🇪 DE | AS14061 | 2026-04-19 |
| 74.50.81.220 | 100% | 1,285 | 214 | 🇺🇸 US | AS19318 | 2026-03-31 |
| 138.68.169.168 | 100% | 1,047 | 214 | 🇬🇧 GB | AS14061 | 2026-03-09 |
| 84.247.137.164 | 100% | 881 | 107 | 🇫🇷 FR | AS51167 | 2026-02-23 |
| 143.198.113.180 | 83% | 879 | 79 | 🇺🇸 US | AS14061 | 2026-02-21 |
| 20.197.32.228 | 100% | 738 | 196 | 🇮🇳 IN | AS8075 | 2026-03-09 |
| 31.210.36.192 | 92% | 645 | 53 | 🇹🇷 TR | AS212219 | 2026-02-24 |
| 20.52.250.139 | 98% | 575 | 50 | 🇩🇪 DE | AS8075 | 2026-02-25 |
| 157.245.229.234 | 100% | 353 | 353 | 🇺🇸 US | AS14061 | 2026-04-19 |
| 20.235.199.173 | 96% | 331 | 128 | 🇮🇳 IN | AS8075 | 2026-04-17 |
| 20.175.205.56 | 100% | 303 | 303 | 🇨🇦 CA | AS8075 | 2026-04-18 |
| 20.175.198.133 | 100% | 280 | 278 | 🇨🇦 CA | AS8075 | 2026-04-17 |
| 61.240.139.28 | 100% | 271 | 271 | 🇨🇳 CN | AS4837 | 2026-04-19 |
| 49.7.204.85 | 100% | 248 | 248 | 🇨🇳 CN | AS23724 | 2026-04-19 |
| 161.35.120.3 | 100% | 244 | 244 | 🇺🇸 US | AS14061 | 2026-03-21 |
| 85.239.245.254 | 67% | 241 | 41 | 🇺🇸 US | AS40021 | 2026-03-03 |
| 20.116.232.29 | 99% | 237 | 235 | 🇨🇦 CA | AS8075 | 2026-04-18 |
| 114.113.235.163 | 100% | 215 | 215 | 🇨🇳 CN | AS4808 | 2026-04-19 |
| 20.207.238.171 | 100% | 211 | 211 | 🇮🇳 IN | AS8075 | 2026-04-18 |