Closed gab99 closed 2 years ago
Was it installed for the first time? Are you running any application that is publicly available and could write data sent as input "as is" to Redis? If there is no private/critical data there - could you please share that file with me? (tomasz.poradowski@gmail.com)
Hi @tporadowski
Thank you for your time but I am so sorry that we have managed to identify the root cause of our issue is not related to this repo.
The dump file actually contains some injected PHP codes which were later renamed/moved to a web app public folder and used as RCE attack
Answer to your question: This was not installed for the first time.
Our previous installation was completed using the installer here:
https://github.com/microsoftarchive/redis/releases/tag/win-3.0.504
A quick summary of our post-mortem:
bind 127.0.0.1
directive (it was commented by default)Hence when we reinstall with https://github.com/tporadowski/redis/releases/tag/v5.0.14.1 the previous dump file which already contains the PHP injected codes triggered the Windows Server Defender.
@gab99 I'm glad you sorted this out. Yet, both bind 127.0.0.1 and protected-mode yes options are delivered by default for years now.
Windows Server Defender detected
Backdoor:PHP/Chopper.C!dha
malware on the dump fileC:\Program Files\Redis\dump.rdb
.I installed the service using the installer here
https://github.com/tporadowski/redis/releases/tag/v5.0.14.1
Is this a false alarm?