According to the security experts at Imperva firm, three open Redis servers out of four are infected with malware.

The discovery is the result of analysis conducted by running Redis-based honeypot servers for some months.

Since their initial report on the RedisWannaMine attack that propagates through open Redis and Windows servers, the experts from Imperva have discovered a new wave of attacks against Redis servers exposed online without authentication.

One of the most common attacks against Redis servers consists of adding SSH keys, so the attacker can remotely access the machine and take it over.

“Having let our honeypot collect data for some time, we noticed that different attackers use the same keys and/ or values to carry out attacks.” states the report published by the experts.

“As such, a shared key or value between multiple servers is a clear sign of a malicious botnet activity.”

The experts used the SSH keys they’ve collected through their honeypot to scan Redis servers that were left exposed online for the presence of these keys.

The experts obtained a list of over 72,000 Redis servers available online by using the shodan query ‘port:6379,’ over 10,000 of these responded to its scan request without an error, allowing researchers to determine locally installed SSH keys.

The discovery was disconcerting, over 75% of these Redis servers were using an SSH key associated with a botnet.

“Unsurprisingly, more than two-thirds of the open Redis servers contain malicious keys and three-quarters of the servers contain malicious values, suggesting that the server is infected.” continues the report.

“Also according to our honeypot data, the infected servers with “backup” keys were attacked from a medium-sized botnet ( ) located at China (86% of IPs).”