How Attackers Exploit Unauthenticated Redis to Deploy Worms and Mine Cryptocurrency

Vulnerability Overview

Redis binds by default to 0.0.0.0:6379. If no firewall blocks the port and AUTH is disabled, any remote attacker can execute arbitrary Redis commands, write an SSH public key to ~/.ssh/authorized_keys, and obtain root access when Redis runs as root. Details: https://www.seebug.org/vuldb/ssvid-89715

Infection Process

Scan large IP ranges (e.g., 1.0.0.0/16‑224.255.0.0/16) for open TCP 6379 using pnscan.

Connect to vulnerable Redis instances with redis-cli and write a malicious .dat payload that changes /var/spool/cron/root to download and execute a script.

Execute the downloaded script, which installs a cryptomining binary and creates persistence.

Compile and install pnscan to continue scanning and infecting additional hosts.

Malicious Script (NaNd) Functions

Creates marker file .mxff0 to avoid re‑execution.

Sets trap to delete temporary files and the script itself on exit.

Disables SELinux via setenforce 0 and writes SELINUX=disabled to /etc/sysconfig/selinux.

Removes existing cron jobs and clears /var/spool/cron.

Ensures DNS resolution by appending nameserver 8.8.8.8 to /etc/resolv.conf if missing.

Clears /tmp, /var/tmp, system caches, and command history.

Increases file and process limits in /etc/security/limits.conf (hard/soft nofile and nproc to 100000).

Installs required packages using the appropriate manager (yum, apt, etc.).

Downloads and compiles pnscan from https://codeload.github.com/ptrrkssn/pnscan/tar.gz/v1.12 when not present.

Uploads the mining binary to https://transfer.sh, obtains a new URL, and rewrites the .dat payload to use this link.

Creates cron entries that fetch the mining script via curl, wget, or lynx and execute it.

Adds iptables rules to block external access to port 6379 (allow only localhost) and kills processes related to mining, Redis clients, and known scanners.

Erases logs, mail spools, and history files before exiting.

Defensive Recommendations

Bind Redis to internal IPs only, use firewalls or security groups, and avoid running Redis as root.

Enable AUTH with a strong password; optionally rename dangerous commands (e.g., CONFIG).

Restore system files from backups: /var/spool/cron, /etc/resolv.conf, /etc/security/limits.conf, and SELinux configuration.

Remove installed binaries (pnscan, mining executable, etc.) and delete residual files such as .mxff0, .x112, .gpg, .dat, NaNd, .r.*.*.o, tmp.*.

Re‑enable SELinux and verify iptables rules no longer block legitimate traffic.

Indicators of Compromise (IOCs)

Malicious script URL: https://transfer.sh/MIpIA/tmp.9kIguIhkI7

Mining binary SHA256: 2918ee2b69bc4e6b581c7b25f08434fe Mining pool domain: http://jb.chakpools.com/

File artifacts: .mxff0, .x112, .gpg, .dat, NaNd, .r.xx.xx.o,

tmp.*

References

VirusTotal analysis: https://www.virustotal.com/#/file/9756e66c168ec963c58b3d0ca5483927c14a64a99ba718fa9488a52d4d207ed6

pnscan project: https://github.com/ptrrkssn/pnscan

Vulnerability details: https://www.seebug.org/vuldb/ssvid-89715