Elasticsearch user producing strange traffic


(Philipp Wagner) #1

Hello,

I found out that my elasticsearch user was running strange commands and producing a lot of dutchy traffic recently.

(("22",21871,3))
ESTAB 0 0 5.9.97.70:43626 222.186.58.177:10991 users:(("9314",21349,3))
ESTAB 0 0 5.9.97.70:47511 121.40.105.14:3615 users:(("ience",23209,4))
ESTAB 0 0 5.9.97.70:56270 101.200.198.157:10991 users:(("bb",21403,3))
ESTAB 0 0 5.9.97.70:43652 222.186.58.177:10991 users:(("9314",21692,3))

All these command were run by the elasticsearch user. I am wondering if there is any logical explanation for that or this simply means something is wrong with my version. Are there any known security issues?

Thanks a lot in advance!


(Colin Goodheart-Smithe) #2

Known security issues are listed on the security page here: https://www.elastic.co/community/security

Depending on which version you are running there may be script security vulnerabilities on your version. It's recommended you run the latest release of Elasticsearch to keep on top of these security vulnerabilities and benefit from the security fixes (as well as numerous other bug fixes and new features).

Also, is your cluster directly exposed to the internet and do you have dynamic scripting enabled?

Having your cluster directly accessible from the internet is not recommended, see this blog for more details: https://www.elastic.co/blog/scripting-security

Also you should avoid using dynamic scripting on open environments where possible. More information on dynamic scripting can be found here: https://www.elastic.co/guide/en/elasticsearch/reference/current/modules-scripting.html

Hope that helps


(system) #3