I’m using Linux VPS as a web server (haproxy+nginx+java+mysql+memcached+redis+solr), for security reason, I disabled password login and using key instead.
These days, I can’t login to my server, when using VPS console to login, I found some strange public key in the /root/.ssh/authroized_keys, and my own public key was removed:
"REDIS0006t^@^@^CqweA<92> ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNTotEB55uRlAS9sKUfT3WyJzq1kGQVVGQk9WPDmjg c6fvkubd3qRAE1lBQmZ+LjnHSSOcP54EoBTphiL+Lf2pFKkbFNYVGIdJBhRWUIDlm/vIGO4GCLfpPnRz rw3UsVLUykb68fFJXrPOfGC5Qj16nlrVY6gMO2p1pAmmBqkwPpyxbBkXkBFme3k95wl6Q6MWJLUXAEeT GuqzMukZHkA15hXxas5AKYRKAwrls9UrUqBXCy7Gp5lnq8m/RI0L8mNseB1hD1Fi/KQqVgwXXmXhjWDQ qtzqF7Eh2woNhqojSpd9QlOO/LxPMKzgF9cStBcbkaQ5gXoO+zFYL2B/nRp1 root@vultr.guest ^@à^AA<8d>-e ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAND7d7omg6ByhAlAbtb3++0P4clJ4cLCSSAH7CXuM Y9ENqGVYmdoJSkXJt7uk5HX4ioFkDesuR/Yi6tBx0hKq/AXhfhOX4rS0ESXo83z2dlbo52/bdkEMxwgY hym+MYcK3jxmnQ+Fy1649otJeidENNhracOPdSekvyIebJTIfcT/4JD46z1anir9M3UD5oa53wBlkyew VXAWus33SNHrGvns9jCTD0jefclWCNh6MeFITxMIDMErF5Fvz8fPyDuI7AUGt22lYb8I2lhkfQUPruZz EEdMGaZ/YjhteIao8Ap7Avf55vXHwa7HVbBlwKL7+J7nmpq1X0+RFX6OlktJ yyf -e ^@^GcrackitABbfilenarmeed iasu-tchloir.iezxeed _-khe y6s0.164.96.208^M ^M saveconfig set dir /root/.ss^M"
What does that mean? is any hacker try to login my server?
Advertisement
Answer
Redis is insecure by design, as stated by its developer here.
However, the ability to control the server configuration using the CONFIG command makes the client able to change the working directory of the program and the name of the dump file. This allows clients to write RDB Redis files at random paths, that is a security issue that may easily lead to the ability to run untrusted code as the same user as Redis is running.
That page also contains a detailed description how to rewrite ssh keys and get full access to the system (the result is similar to what OP has). The solution depends on usage model and may include firewalling, enabling AUTH and binding to 127.0.0.1.