Redis Set Cron Root Http Pipe Sh

Detects a Redis SET command that implants a system-style cron entry including the root user field and a direct HTTP fetch piped into sh (e.g., cd1 -fsSL http://… | sh). This reflects Redis exploitation where an attacker establishes privileged scheduled execution for repeated remote script retrieval and execution. The inclusion of root indicates targeting of /etc/crontab-style injection, enabling execution with elevated privileges after a subsequent SAVE/BGSAVE. This is strongly associated with automated botnet propagation and host-level persistence via misconfigured or unauthenticated Redis services.

Observed IPs

251

Avg Confidence

85%

Protocol

REDIS

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
180.149.32.80	97%	3,225	490	🇺🇸 US	AS25846	2026-02-09
101.206.108.14	100%	2,558	750	🇨🇳 CN	AS4837	2026-03-05
74.50.81.220	99%	1,231	160	🇺🇸 US	AS19318	2026-03-05
97.74.92.144	87%	1,196	293	🇺🇸 US	AS26496	2026-03-05
182.40.103.253	100%	1,118	165	🇨🇳 CN	AS136195	2026-03-05
157.230.101.158	95%	1,091	333	🇩🇪 DE	AS14061	2026-03-05
64.20.44.213	93%	1,086	74	🇺🇸 US	AS19318	2026-02-07
138.68.169.168	100%	1,026	193	🇬🇧 GB	AS14061	2026-03-05
84.247.137.164	100%	881	107	🇫🇷 FR	AS51167	2026-02-23
143.198.113.180	83%	879	79	🇺🇸 US	AS14061	2026-02-21
139.198.30.179	64%	860	120	🇨🇳 CN	AS59078	2026-03-03
155.212.222.212	90%	824	61	🇷🇺 RU	AS198610	2026-02-04
20.197.32.228	99%	713	171	🇮🇳 IN	AS8075	2026-03-04
14.103.220.97	100%	693	133	🇨🇳 CN	AS4811	2026-03-05
31.210.36.192	92%	645	53	🇹🇷 TR	AS212219	2026-02-24
94.74.84.246	98%	634	83	🇸🇬 SG	AS136907	2026-02-14
125.94.106.113	67%	602	117	🇨🇳 CN	AS4134	2026-03-04
14.103.198.15	100%	598	83	🇨🇳 CN	AS4811	2026-03-04
218.78.131.154	100%	590	201	🇨🇳 CN	AS4812	2026-03-04
20.52.250.139	98%	575	50	🇩🇪 DE	AS8075	2026-02-25