Due to my negligence, I forgot to set the password for the redis I installed two months ago and also bound it to the public IP. So I opened redis today and saw that the crackit field was injected, and the value was ssh-rsa, but it seemed During this period, my root password has not been changed. Does this mean that he just injected the key but did not replace it successfully?
I commented these three lines just after installing redis. In theory, the persistent storage function should be turned off. If it is turned off, can he successfully hack my server using this method?
I ask this question just to confirm whether my server has been successfully hacked by him? Because there is important data on my server, thank you all!
Due to my negligence, I forgot to set a password for the redis I installed two months ago and also bound it to a public IP. So I opened redis today and saw that the crackit field was injected, and the value was ssh-rsa, but it seemed During this period, my root password has not been changed. Does this mean that he just injected the key but did not replace it successfully?
I commented these three lines just after installing redis. In theory, the persistent storage function should be turned off. If it is turned off, can he successfully hack my server using this method?
I ask this question just to confirm whether my server has been successfully hacked by him? Because there is important data on my server, thank you all!
This is to turn off persistence.
Check if there are any abnormalities in authorized_keys under /root/.ssh
This vulnerability can only write files through redis, mainly writing ssh-rsa and then logging in through ssh
If it is a lua script executed through redis, this will not work .
If it is hacked, other backdoors may be left, and then the record of this time will be cleared. This way you won't know you've been hacked.