Redis server wrote suspicious module file

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

A potentially malicious Redis module has been saved.

Strategy

One of the primary methods for compromising vulnerable Redis deployments is to use the SLAVEOF command (now renamed to REPLICAOF) to modify the replication settings of a Redis instance to join it to an attacker controlled Redis cluster. From there, the attacker will push a malicious Redis module to the compromised Redis node using the Redis cluster replication capabilities. This is used to achieve command execution on the compromised Redis instance.

Triage and response

  1. Determine if the Redis module is authorized on the host.
  2. If the activity is not authorized, verify if the instance has been joined to an attacker controlled cluster by running the CLUSTER INFO command.
  3. If the instance has been compromised, initiate incident response procedures.

Requires Agent version 7.27 or greater