The vast majority of Redis servers left open on the Internet without any authentication system in place are most likely harboring malware, an Imperva spokesperson said.
The company's experts reached this conclusion after running Redis-based honeypot servers for the last few months.
It's through these honeypot servers that Imperva had previously discovered
ReddisWannaMine, a botnet operation that was secretly mining cryptocurrency on open Redis servers left exposed online.
But as time went by and as honeypot data racked up, the Imperva team has also started noticing some trends in compromises of their Redis tests servers.
Reuse of SSH keys reveals botnet operations
The most obvious pattern to spot was that attackers kept installing SSH keys on the compromised Redis server so they could access it at a later time.
"We noticed that different attackers use the same keys and/or values to carry out attacks," Imperva said, "a shared key or value between multiple servers is a clear sign of a malicious botnet activity."
Imperva experts than took the SSH keys they've collected through their honeypot and scanned all Redis servers that were left exposed online for the presence of these keys.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}