Windows Defender detected Backdoor:PHP/Chopper.C!dha malware

[gab99]

Windows Server Defender detected Backdoor:PHP/Chopper.C!dha malware on the dump file C:\Program Files\Redis\dump.rdb.

I installed the service using the installer here
https://github.com/tporadowski/redis/releases/tag/v5.0.14.1

Is this a false alarm?

[tporadowski]

Was it installed for the first time? Are you running any application that is publicly available and could write data sent as input "as is" to Redis? If there is no private/critical data there - could you please share that file with me? (tomasz.poradowski@gmail.com)

[gab99]

Hi @tporadowski

Thank you for your time but I am so sorry that we have managed to identify the root cause of our issue is not related to this repo.

The dump file actually contains some injected PHP codes which were later renamed/moved to a web app public folder and used as RCE attack

Answer to your question: This was not installed for the first time.

Our previous installation was completed using the installer here: https://github.com/microsoftarchive/redis/releases/tag/win-3.0.504

A quick summary of our post-mortem:

• A series of RCE attacks were confirmed - the dump file (of the previous installation) contains injected PHP codes, and malicious PHP web shell scripts were found in our Web App which happen to be in the same machine (definitely a bad idea!!)
• We believe the attack is made possible because Redis (of previous installation) is listening to all interfaces
• We have overlooked a default configuration (of previous installation) comes without bind 127.0.0.1 directive (it was commented by default)

Hence when we reinstall with https://github.com/tporadowski/redis/releases/tag/v5.0.14.1 the previous dump file which already contains the PHP injected codes triggered the Windows Server Defender.

[tporadowski]

@gab99 I'm glad you sorted this out. Yet, both bind 127.0.0.1 and protected-mode yes options are delivered by default for years now.