Redis Set Cron Wget Pipe Sh

Detects a Redis SET command that writes a cron-formatted entry (*/<n> * * * *) invoking wget -q -O- <url> | sh. This reflects Redis exploitation where an attacker implants a scheduled task that silently downloads a remote shell script and immediately pipes it into sh for execution. The -q -O- combination is characteristic of automated botnet droppers, enabling non-interactive retrieval and direct execution without writing the payload to disk first. This behavior indicates persistence establishment and remote command staging on a host with an exposed or misconfigured Redis service.

Observed IPs

250

Avg Confidence

85%

Protocol

REDIS

Top IPs by event count

IP Address	Risk	Events	Sessions	Country	ASN	Last Seen
180.149.32.80	97%	3,225	490	🇺🇸 US	AS25846	2026-02-09
101.206.108.14	100%	2,557	749	🇨🇳 CN	AS4837	2026-03-05
74.50.81.220	99%	1,231	160	🇺🇸 US	AS19318	2026-03-05
97.74.92.144	87%	1,196	293	🇺🇸 US	AS26496	2026-03-05
182.40.103.253	100%	1,118	165	🇨🇳 CN	AS136195	2026-03-05
157.230.101.158	95%	1,091	333	🇩🇪 DE	AS14061	2026-03-05
64.20.44.213	93%	1,086	74	🇺🇸 US	AS19318	2026-02-07
138.68.169.168	100%	1,026	193	🇬🇧 GB	AS14061	2026-03-05
84.247.137.164	100%	881	107	🇫🇷 FR	AS51167	2026-02-23
143.198.113.180	83%	879	79	🇺🇸 US	AS14061	2026-02-21
139.198.30.179	64%	860	120	🇨🇳 CN	AS59078	2026-03-03
155.212.222.212	90%	824	61	🇷🇺 RU	AS198610	2026-02-04
20.197.32.228	99%	713	171	🇮🇳 IN	AS8075	2026-03-04
14.103.220.97	100%	693	133	🇨🇳 CN	AS4811	2026-03-05
31.210.36.192	92%	645	53	🇹🇷 TR	AS212219	2026-02-24
94.74.84.246	98%	634	83	🇸🇬 SG	AS136907	2026-02-14
125.94.106.113	67%	602	117	🇨🇳 CN	AS4134	2026-03-04
14.103.198.15	100%	598	83	🇨🇳 CN	AS4811	2026-03-04
218.78.131.154	100%	590	201	🇨🇳 CN	AS4812	2026-03-04
20.52.250.139	98%	575	50	🇩🇪 DE	AS8075	2026-02-25

Loading threats