Redis (Remote Dictionary Server) is a BSD license-based open-source project developed by Salvatore Sanfilippo in 2009 that queries data with Key through a Key-Value Store database. Since Redis is a memory-based DBMS, it operates at a faster speed than regular disk storage databases. It is preferable to alternatives because it can support various data types such as Hashes, Lists, and Sets. Typically, it stores the result cache and data in systems that process large amounts of messages in real-time, such as Facebook, Instagram, and Tumblr. In addition, it is used as a repository in systems for small services and fast response processing.

Data Breach Possibility From Exposed Redis Commander

Redis Commander is a Node.js web application used to manage databases stored on Redis servers. It is a GUI tool that allows web-based editing of all data types in Redis, with autocomplete and document input/output capabilities that make it easy for developers to use, but conversely, it can be a convenient remote data theft tool for hackers if it is exposed to the outside without authentication. That is, an externally exposed Redis Commander can give unauthorized users control over all databases, leading to a very serious data breach.

How to Find Redis Commander Servers Through the Favicon Filter

Criminal IP’s favicon filter is a feature that allows you to look up IP addresses by searching a website’s favicon hash. Using this feature to search for a Favicon hash of Redis Commander yielded 211 IP addresses in total.

favicon: -32e1326

Criminal IP의 Asset Search에서 favicon: -32e1326을 검색한 결과

Result of searching “favicon: -32e1326” in Criminal IP’s Asset Search

Clicking on one of the IPs in the Redis Commander server search results will take you to the actual Redis Commander server page. Some servers expose sensitive information, such as a specific user’s token and login cookie values, without any authentication.

외부에 그대로 노출되어 있는 Redis 데이터베이스 내  Key 데이터

Key data in the Redis database exposed to the unprotected internet

How to Find Redis Commander Servers Through the Title Filter

It’s also possible to find Redis Commander server IPs using the title filter. Criminal IP’s title filter searches the title of a webpage and shows IP addresses whose titles match the keywords users searched for.

[Criminal IP Search 101 – How to Find Vulnerable Redis Commander Servers]

Searching for “title: Redis Commander” in the Criminal IP Asset Search determines the IP addresses using a total of 384 Redis Commander servers.

titleRedis Commander

Criminal IP의 Asset Search에서 title: Redis Commander를 검색한 결과

Search results for title: Redis Commander on Asset Search

This website also includes a page where users can view data updates stored as hash values — all of them without authentication.

별도의 인증 수단 없이 외부에 공개되어 있는 데이터 저장 서버

Data storage servers exposed on the unprotected internet without means of authentication

When Redis Commander servers are left unattended and vulnerable, this indicates that these databases can be controlled by unauthorized users. Among the various types of Redis data, page cookies and user login credentials are most often leaked as seen in the case above. If a malicious hacker intercepts admin cookie information, they can use this maliciously and access administrator permissions of that Redis commander page.

Neglected Redis Commander servers, therefore, can be the root cause of serious data leaks and hacking incidents. For more information about this issue, see API Key, a Key to Credential Leakage & Manipulation.

Open-source services are popular because they are easily accessible due to low cost and low skill barriers. However, the disadvantage in that primarily comes from its benefits—due to the relatively open nature of the program, it is vulnerable to malicious hacker attacks, especially if proper management and inspections are not carried out. Therefore, special attention from the server administrator and periodic security checks on the attack surface are required.

Please refer to our article Vulnerable Jenkins Servers regarding detecting exposed open-source servers.

Source : Criminal IP (

Related Article(s) :