from http://www.sensepost.com/blog/4873.html

"The memcached threat model is pretty simple since the software has a tiny interface. Zero authentication by default helps, and once connected you can read and write all parts of the cache due to the lack of authorisation."

Excellent article. Amazing to see that many large sites allow overwriting memcached data so that malware can be inserted. If this were done there would, of course, be no way to remove the malware from the site code since it does not reside there.

James

Of course, this relies on memcached's configuration being deliberately changed to listen on a public interface. There's a big warning immediately above that configuration line. But noone here would have their memcached listening to the world, right?

(p.s. 192.168.128.0/17 is public, from a security standpoint)

I think that is unlikely if a single web server and single memcached instance are running on the same server. If separate multiple memcached servers are being used, there might be a temptation to do this for the lazier and the less experienced.

If you would like to find out if any linodes are vulnerable to this problem, the article discusses how to obtain and use a scanning tool made for just such a purpose. My interest in this subject is theoretical, not practical.

James

Wouldn't one also have to be a complete moron?

Or just have no clue about security and server admin...I recently audited a server which had mysql open to the public with remote logins enabled and a root password of something like 'password123'...yeah that's just about as bad as an open memcached.

Sure. But nobody makes a stink about that being a vulnerability in MySQL.