Elasticsearch search locked with ransomeware


I have not protected elasticsearch, so someone hacked it, left new index with contents where to transfer bitcoins. Data I can regenerate, the questions is how can I get rid of that. Accessing the indices directly works, but search scripts return http code 400 when I do curl requests with php. Any ideas?

I removed the folder and created index from the beginning. It did not fix anything.

(David Pilato) #2

Do not expose your elasticsearch cluster directly to internet without any protection.

You can use cloud.elastic.co as well.


Thanks for answering, but how someone was able to prevent me from querying the index?

(David Pilato) #4

What query are you running? Please test without php but curl commands.
What version?

(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.