Find weird indices in elasticsearch cluster after marvel is installed


(photonic_world) #1

Hi,

With elasticsearch 1.5 and marvel 1.3.1, which is setup in my production cluster to report data to a monitoring cluster. I see several indices with names below:

spogwo1.html,srnpss1.html,npsggw1.html,ervwva1.html,nsaspv1.html,gpgspo1.html,wvggan1.html,nrpwga1.html,egaooa1.html,wasana1.html,aovngw1.html,wrrsso1.html,roaons1.html,sggwnp1.html,rnnvaa1.html,ssargn1.html,gasprw1.html,rroear1.html,opvana1.html,renpne1.html,wasopr1.html,ervrwn1.html,oravre1.html,nnearr1.html,orpgpw1.html,egaggo1.html,gvngap1.html,gesasp1.html,ngasng1.html,rarapn1.html,rgrggv1.html,rrwooa1.html,vrawop1.html,evrgpe1.html,asrvwp1.html,negwap1.html,wwnrga1.html,swsswv1.html,pweapa1.html,wvpppe1.html,sorpww1.html,sgoorg1.html,rranee1.html,nrwpog1.html,awvgnn1.html,rppaav1.html,vevvrp1.html,gpppgw1.html,neoenp1.html,gsovov1.html,wanevr1.html,ovrsow1.html,nvnser1.html,swapnn1.html,ewpren1.html,werrwn1.html,gnrpsg1.html,gswgwp1.html,svergs1.html,gwrpnp1.html,nvnsrn1.html,nwvens1.html,graevo1.html,onaepa1.html,weeawa1.html,esrvsw1.html,oeewrg1.html,gwvarg1.html,ggaewv1.html,osgoos1.html,wpoapa1.html,nvwowr1.html,rsnopv1.html,gnowge1.html,svsgvr1.html,owsnww1.html,pgnreo1.html,nerona1.html,vovnvs1.html,groasg1.html,rovngo1.html,saswoa1.html,vwosgs1.html,werpsg1.html,ravosr1.html,ogopnv1.html,vwaner1.html,ovvwae1.html,ewsnwn1.html,roasva1.html,osnava1.html,svngeg1.html,svoage1.html,wgoenn1.html,sgpvvv1.html,gongev1.html,eogpas1.html,nvvowp1.html,asoepn1.html,oeparw1.html,vasrgn1.html,geporn1.html,spawgp1.html,wwnnap1.html,wvavvp1.html,aoarea1.html,vonnsa1.html,rapasa1.html,evegae1.html,poswew1.html

Any ideas why these are created. I see no mappings for these indices, my application does not create them.

[Update]: Here is some details on the index when I get the weird index created
{ "svseee1.html": { "aliases": {}, "mappings": {}, "settings": { "index": { "A": "quick brown fox jumps over the lazy dogA quick brown fox jumps over the laz", "creation_date": "1452294284584", "number_of_shards": "5", "number_of_replicas": "1", "version": { "created": "1050099" }, "uuid": "g0RGapXXSt6Gq4rZikv52g" } }, "warmers": {} } }

Thanks,
Photon


(Magnus B├Ąck) #2

It's most likely either a rogue exploitation attempt or an internal security scanner that has issued POST requests against Elasticsearch's REST interface. Is your cluster open to the internet?


(photonic_world) #3

No its not open to the internet.

Is there a way to verify incoming http requests to the cluster?


(photonic_world) #4

Guess setting org.apache.http: INFO to debug should help. No?


(system) #5