Skip to content
Advertisement

Strange public key in authorized_keys

I’m using Linux VPS as a web server (haproxy+nginx+java+mysql+memcached+redis+solr), for security reason, I disabled password login and using key instead.

These days, I can’t login to my server, when using VPS console to login, I found some strange public key in the /root/.ssh/authroized_keys, and my own public key was removed:

"REDIS0006t^@^@^CqweA<92>
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNTotEB55uRlAS9sKUfT3WyJzq1kGQVVGQk9WPDmjg
c6fvkubd3qRAE1lBQmZ+LjnHSSOcP54EoBTphiL+Lf2pFKkbFNYVGIdJBhRWUIDlm/vIGO4GCLfpPnRz
rw3UsVLUykb68fFJXrPOfGC5Qj16nlrVY6gMO2p1pAmmBqkwPpyxbBkXkBFme3k95wl6Q6MWJLUXAEeT
GuqzMukZHkA15hXxas5AKYRKAwrls9UrUqBXCy7Gp5lnq8m/RI0L8mNseB1hD1Fi/KQqVgwXXmXhjWDQ
qtzqF7Eh2woNhqojSpd9QlOO/LxPMKzgF9cStBcbkaQ5gXoO+zFYL2B/nRp1 root@vultr.guest
^@à^AA<8d>-e
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAND7d7omg6ByhAlAbtb3++0P4clJ4cLCSSAH7CXuM
Y9ENqGVYmdoJSkXJt7uk5HX4ioFkDesuR/Yi6tBx0hKq/AXhfhOX4rS0ESXo83z2dlbo52/bdkEMxwgY
hym+MYcK3jxmnQ+Fy1649otJeidENNhracOPdSekvyIebJTIfcT/4JD46z1anir9M3UD5oa53wBlkyew
VXAWus33SNHrGvns9jCTD0jefclWCNh6MeFITxMIDMErF5Fvz8fPyDuI7AUGt22lYb8I2lhkfQUPruZz
EEdMGaZ/YjhteIao8Ap7Avf55vXHwa7HVbBlwKL7+J7nmpq1X0+RFX6OlktJ yyf
-e
^@^GcrackitABbfilenarmeed iasu-tchloir.iezxeed _-khe y6s0.164.96.208^M
^M
saveconfig set dir /root/.ss^M"

What does that mean? is any hacker try to login my server?

Advertisement

Answer

Redis is insecure by design, as stated by its developer here.

However, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running.

That page also contains a detailed description how to rewrite ssh keys and get full access to the system (the result is similar to what OP has). The solution depends on usage model and may include firewalling, enabling AUTH and binding to 127.0.0.1.

User contributions licensed under: CC BY-SA
2 People found this is helpful
Advertisement