Elasticsearch search locked with ransomeware


#1

I have not protected elasticsearch, so someone hacked it, left new index with contents where to transfer bitcoins. Data I can regenerate, the questions is how can I get rid of that. Accessing the indices directly works, but search scripts return http code 400 when I do curl requests with php. Any ideas?

edit:
I removed the folder and created index from the beginning. It did not fix anything.


(David Pilato) #2

Do not expose your elasticsearch cluster directly to internet without any protection.

You can use cloud.elastic.co as well.


#3

Thanks for answering, but how someone was able to prevent me from querying the index?


(David Pilato) #4

What query are you running? Please test without php but curl commands.
What version?


(system) #5

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.