The total neglect of some security features in the creation of Redis Database Servers turned the project haunted years later, as Risk Based Security (RBS) reports that it has discovered 6.338 Redis servers that have been compromised.
O Redis is a NoSQL database server that is ideal for storing data in a key-value format that uses a system in memory for processing data and subsequent queries. According to statistics from DB-Engines, Redis ranked tenth in terms of the use and popularity of 2015.
Because Redis was created with rendering in mind, in a default setting, the database does not have any kind of authentication or some other possible security feature.
This means that anyone can access its content only by knowing the IP and port. Worst of all is that, towards the end of 2015, one exploit it seemed that a third party was allowed to store an SSH key in the authorized_keys file from any other Redis server that did not have an authentication system installed.
There are more than 30.000 Redis database servers without some authentication available online. According to RBS researchers, 6.338 from these servers was at risk.
The company came to this conclusion after performing a non-invasive scan using Shodan. The interest of the RBS researchers peaked when they analyzed a hacked server featuring the "crackit" SSH key, which was linked to an email address [firstname.lastname@example.org] that they had previously encountered in other cases.
Scanning with it Shodan for open Redis servers that did not feature non-standard SSH keys, researchers found 5.892 SSH key cases associated with the email@example.com email address. In addition, they found 385 keys linked to firstname.lastname@example.org and 211 keys with email@example.com.
The most common non-standard keys were "crackit", "crackit_key", "qwe", "ck" and "crack". In total, RBS found 14 unique emails and 40 unique combinations SSH keys. As RBS explained, these reports seem to be the work of many groups or individuals.
As for the exposed Redis database versions, researchers found 106 different versions, ranging from the latest 1.2.0 version to the latest version, 3.2.1.
"While we haven't been able to find anyone to confirm it publicly, it seems from our analysis that we have confirmed two things: the first is that this is not something new and the second, that some servers are out there infected and not used for nothing malicious ”, RBS researchers have explained.
The security company recommends to Webmasters update their Redis databases to the latest version and enable “protected mode", A security feature introduced in Redis with version 3.2.
These 6.338 servers are still exposed until today, which means young people threats can easily put them at risk again.