Redis (Remote Dictionary Server) is a non-relational database management system for storing and managing unstructured data in a key-value structure. Unstructured data is raw data that cannot be filtered without a fixed format, and it includes various formats like web logs, XML, JSON, images, texts, audio and video files, and more.
Redis supports asynchronous replication, which has the advantage of maintaining copies of the same data on multiple servers. Therefore, should the main server fail, requests are distributed to multiple servers to quickly enable improved read and recovery of the main server. For this reason, it is a system used by many people.
Hacked Redis Server Spreading Coin Mining Malicious Code
This article describes a case where an attacker accessed a server running Redis service with insufficient authentication and infected it as a bitcoin miner.
In order to identify externally exposed Redis products, you can obtain information on a total of 26,373 exposed Redis servers by searching “product:redis” on Criminal IP Asset Search.
Search Query: “product: redis”

If you look at the countries, we can see that China uses the most exposed Redis systems.

Exposed Redis Server With Insufficient Authentication
If you access the Redis service activated with redis_cli [target_ip], the following notice is shown if authentication is enabled.
“(error) NOAUTH Authentication required”
!["[ERROR] NOAUTH Authentication required" Notice Shown on Safe Redis Server](https://i0.wp.com/blog.criminalip.io/wp-content/uploads/2022/11/노출된-Redis-서버_3.png?resize=367%2C182&ssl=1)
However, if there is no authentication, the server can be accessed immediately, as shown in the image below. Exposed data can be checked through “keys *”.

Exposed Redis Server Infected by Monero Coin Mining Malicious Code
From accessing the server data, we found a common suspicious pattern that all led to “cleanfda”

After searching the details of the exposed domain on Criminal IP Domain Search, we can confirm that the domain was written by the bash shell script.


If you access the URL and inspect the bash shell script closely, we can see that Monero coin mining script is running on this server.

How to Prevent Redis Server From Being Hacked
To prevent operating Redis servers from being exploited for coin mining, server administrators set security settings as follows:
- Disable the use of default IP when binding Redis service on Docker (Not 0.0.0.0 but 127.0.0.1)
- Check firewall settings to block suspicious IPs from accessing and make sure that authenticated users are white-listed
- Periodically check the Redis server is not exposed and the authentication is not missing through Criminal IP
Please refer to our search tip article on detecting exposed Redis commander and analysis article on cryptocurrency mining malicious code.
데이터 출처 : Criminal IP(https://www.criminalip.io/)
관련 글 :
Leave a Reply