Security issue: Redis compromised with malicious cron jobs and data

Hello,

I have identified a potential security breach on my VPS, which is running Dockerized services, including Redis. Upon investigating unusual behavior, I discovered the following issues:

  1. Redis database compromised:
  • The dump.rdb file and related Redis data files contain unexpected, suspicious content.
  • The database seems to be corrupted or manipulated.
  1. Malicious cron jobs:
  • Several cron jobs were added to the system without authorization. These jobs execute encoded commands via base64 and download scripts from external sources (e.g., http://b.9-9-11.com/t.sh).
  1. Redis logs and operations:
  • The Redis logs show continuous saving of the database but return nil for expected keys, suggesting either corruption or unauthorized manipulation.

Steps I have taken:

  • Disconnected the VPS from the network.
  • Verified the integrity of Redis files and identified suspicious entries.
  • Removed malicious cron jobs and scripts.

This incident highlights a potential vulnerability, either in Redis, Docker configuration, or the underlying system.

Please advise on the following:

  • Additional steps to secure Redis and Docker environments.
  • Recommendations for mitigating and preventing similar breaches.
  • Best practices for cleaning and securing a potentially compromised system.

Thank you for your assistance.

This is a Docker community forum where we can help with Docker-related questions, but I donā€™t really see one in your post. If your host is not protected and you let attackers in, it doesnā€™t matter what you do with Docker. Securing specific sowftware is out of scope of this forum. Do you have a specific question about Docker so people donā€™t have to write a general Docker security book as a response?

Until that, just some basic rules:

  • Do not publish container ports you donā€™t need to access from outside the server
  • Do not run processes as root in containers
  • You can use Rootless Docker where the daemon is running as a non-root user too
1 Like

To add to @rimelek, make sure to not expose the Docker socket publicly.

For improved Docker security check OWASP Docker security cheat sheet.

And make sure your VM passwords are complex, not guessable, not included in wordbook attacks and are not reused (potentially exposed from another breach).

By any chance, did you configure a tcp binding for the docker socket on a public ip?

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.