Victim of Memcached Exploit

bhoward · May 6, 2018, 8:20pm

Hello All,

I was one of the many that had a misconfigured server with memcached exposed to the internet, I guess I skimmed over the part where it wasn't a good idea. Lesson learned, and I'm doing more research on the subject. Thankfully I don't think I ever had it configured to work with ownCloud correctly from the start as I have tons errors pre-dating the attack.

Example of the many errors in the owncloud.log :
Error 47 interacting with memcached : SERVER HAS FAILED AND IS DISABLED UNTIL TIMED RETRY

My server got used in the memcached ddos exploit on the 2nd of May and I have since taken memcached offline. I am just wondering what kind of damages could have been done to my server, what to look for. Everything else seems to be working just fine. What kind of nasty things can a 'hacker' do to the server with an open memecached? What data does owncloud store/use memcached for?

Thanks in advance.

tom42 · May 7, 2018, 7:40am

From what i understand this depends on the way you have used memcached in ownCloud. AFAIK ownCloud is using memcached for file locking and PHP caching depending on your configuration in the config.php.

The file locking just saves the information if a file is locked or not where an attacker probably can't do any malicious stuff. Not sure about the PHP caching and if its possible for an attacker to modify that cache to do any harm to your installation.

bhoward · May 16, 2018, 11:18am

Thank you for your reply