Anonymous Replica with Unknown IP address

[milad-ghr]

Hello guys
After high amount of keys in redis docker container, redis has stopped and when I looked into the logs I saw something really confusing issue, it's sending replication data into some IP address and I guess it's copying my data, the full log is:

30:C 02 Jan 2021 07:16:22.089 * DB saved on disk
30:C 02 Jan 2021 07:16:22.090 * RDB: 0 MB of memory used by copy-on-write
1:M 02 Jan 2021 07:16:22.157 * Background saving terminated with success
1:M 02 Jan 2021 07:21:23.018 * 100 changes in 300 seconds. Saving...
1:M 02 Jan 2021 07:21:23.019 * Background saving started by pid 31
31:C 02 Jan 2021 07:21:23.052 * DB saved on disk
31:C 02 Jan 2021 07:21:23.052 * RDB: 1 MB of memory used by copy-on-write
1:M 02 Jan 2021 07:21:23.120 * Background saving terminated with success
1:S 02 Jan 2021 07:25:28.036 * Before turning into a replica, using my own master parameters to synthesize a cached master: I may be able to synchronize with the new master with just a partial transfer.
1:S 02 Jan 2021 07:25:28.036 * REPLICAOF 194.40.243.61:8886 enabled (user request from 'id=63 addr=95.214.11.231:45244 fd=58 name= age=1 idle=1 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=47 qbuf-free=32721 argv-mem=24 obl=0 oll=0 omem=0 tot-mem=61488 events=r cmd=slaveof user=default')
1:S 02 Jan 2021 07:25:28.768 * Connecting to MASTER 194.40.243.61:8886
1:S 02 Jan 2021 07:25:28.769 * MASTER <-> REPLICA sync started
1:S 02 Jan 2021 07:25:28.818 * Non blocking connect for SYNC fired the event.
1:S 02 Jan 2021 07:25:28.867 * Master replied to PING, replication can continue...
1:S 02 Jan 2021 07:25:28.964 * Trying a partial resynchronization (request c5ced4dd789...15f3857055645:1).
1:S 02 Jan 2021 07:25:29.013 * Full resync from master: ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ:1
1:S 02 Jan 2021 07:25:29.013 * Discarding previously cached master state.
1:S 02 Jan 2021 07:25:29.013 * MASTER <-> REPLICA sync: receiving 55648 bytes from master to disk
1:S 02 Jan 2021 07:25:29.112 * MASTER <-> REPLICA sync: Flushing old data
1:S 02 Jan 2021 07:25:29.114 * MASTER <-> REPLICA sync: Loading DB in memory
1:S 02 Jan 2021 07:25:29.147 # Wrong signature trying to load DB from file
1:S 02 Jan 2021 07:25:29.147 # Failed trying to load the MASTER synchronization DB from disk
1:S 02 Jan 2021 07:25:29.771 * Connecting to MASTER 194.40.243.61:8886
1:S 02 Jan 2021 07:25:29.771 * MASTER <-> REPLICA sync started
1:S 02 Jan 2021 07:25:29.822 * Non blocking connect for SYNC fired the event.
1:S 02 Jan 2021 07:25:29.870 # Error reply to PING from master: '-Reading from master: Connection reset by peer'
1:S 02 Jan 2021 07:25:30.773 * Connecting to MASTER 194.40.243.61:8886
1:S 02 Jan 2021 07:25:30.773 * MASTER <-> REPLICA sync started
1:S 02 Jan 2021 07:25:30.822 * Non blocking connect for SYNC fired the event.
1:S 02 Jan 2021 07:25:30.870 # Error reply to PING from master: '-Reading from master: Connection reset by peer'
1:S 02 Jan 2021 07:25:31.775 * Connecting to MASTER 194.40.243.61:8886
1:S 02 Jan 2021 07:25:31.776 * MASTER <-> REPLICA sync started
1:S 02 Jan 2021 07:25:31.828 * Non blocking connect for SYNC fired the event.
1:S 02 Jan 2021 07:25:31.873 # Error reply to PING from master: '-Reading from master: Operation now in progress'
1:S 02 Jan 2021 07:25:32.780 * Connecting to MASTER 194.40.243.61:8886
1:S 02 Jan 2021 07:25:32.780 * MASTER <-> REPLICA sync started
1:S 02 Jan 2021 07:25:32.829 * Non blocking connect for SYNC fired the event.
1:S 02 Jan 2021 07:25:32.877 # Error reply to PING from master: '-Reading from master: Connection reset by peer'
1:S 02 Jan 2021 07:25:33.782 * Connecting to MASTER 194.40.243.61:8886
1:S 02 Jan 2021 07:25:33.782 * MASTER <-> REPLICA sync started
1:S 02 Jan 2021 07:25:33.831 * Non blocking connect for SYNC fired the event.
1:S 02 Jan 2021 07:25:33.879 # Error reply to PING from master: '-Reading from master: Connection reset by peer'
1:S 02 Jan 2021 07:25:34.785 * Connecting to MASTER 194.40.243.61:8886
1:S 02 Jan 2021 07:25:34.785 * MASTER <-> REPLICA sync started
1:S 02 Jan 2021 07:25:34.833 * Non blocking connect for SYNC fired the event.
1:S 02 Jan 2021 07:25:34.882 # Error reply to PING from master: '-Reading from master: Connection reset by peer'
1:S 02 Jan 2021 07:25:35.208 # Module ./red2.so failed to load: It does not have execute permissions.
1:M 02 Jan 2021 07:25:35.294 # Setting secondary replication ID to c5ced4dd...ad515f3857055645, valid up to offset: 1. New replication ID is bef5179e7...c8f6ef60279b
1:M 02 Jan 2021 07:25:35.294 * MASTER MODE enabled (user request from 'id=63 addr=95.214.11.231:45244 fd=58 name= age=8 idle=0 flags=N db=0 sub=0 psub=0 multi=-1 qbuf=34 qbuf-free=32734 argv-mem=12 obl=0 oll=0 omem=0 tot-mem=61476 events=r cmd=slaveof user=default')
1:M 02 Jan 2021 07:26:24.048 * 100 changes in 300 seconds. Saving...
1:M 02 Jan 2021 07:26:24.049 * Background saving started by pid 32
32:C 02 Jan 2021 07:26:24.057 * DB saved on disk
32:C 02 Jan 2021 07:26:24.057 * RDB: 0 MB of memory used by copy-on-write

As you can see there's two IP addresses, 194.40.243.61:8886 and 95.214.11.231:45244
I'll glad if you inform me what is this and should I be worried? Where my data is sending to?
Thanks

[wglambert]

https://github.com/docker-library/docs/tree/master/redis#security

#140 (comment)
As noted by the creator of redis; it is very easy to "hack" a redis server and change files: http://antirez.com/news/96.

I successfully gained access as the Redis user, with a proper shell, in like five seconds. Courtesy of a Redis instance unprotected being, basically, an on-demand-write-this-file server, and in this case, by ssh not being conservative enough to deny access to a file which is all composed of corrupted keys but for one single entry. However ssh is not the problem here, once you can write files, even with binary garbage inside, it’s a matter of time and you’ll gain access to the system in one way or the other.

We do not build images with malware installed (I did just pull and check them in case there was some sort of exploit of Docker Hub). The affected users are likely exposing their redis to the public internet where it is trivial to "hack".

Edit: previous users with problems by "hackers", #44 (comment), #44 (comment), #44 (comment) #217

[tluyben]

For people with this issue, see;

https://medium.com/@ebuschini/iptables-and-docker-95e2496f0b45

(not mine, very helpful)

the script he put on github works and closes it all off.

[milad-ghr]

Thanks @wglambert and @tluyben
I'll close this issue.