Indices deleted as a result of unauthorised access – how to restore?

Drept · October 27, 2022, 6:23pm

As a result of compromised security, my ES server was accessed by a third party that deleted all the indices. While I can easily recreate and repopulate my own indices, there are a few that I don't know how to deal with. Here is the data from my ES log:

[.elastichq/uxLuaj6oS0ySf0ofXovsqw] deleting index
[.security-7/-SZSk_LDQcq-b3DB9SL30g] deleting index
[service/Q-HEaeMGTxabmotQ2OJrOw] deleting index
[api/Av2IvqEeRxaMt2mSRtCVXQ] deleting index

Could you explain whether the lack of these indices affects the operation of my ES and what I should do in these conditions?

leandrojmp · October 28, 2022, 4:09am

From this list only the .security-7 index is a system indice, it is where the information about the built-in users are stored.

If this is index is deleted I think you will need to recreate your users and passwords.

The other indices are not part of the stack and are custom indices created by someone or some tool with access to your cluster.

warkolm · October 31, 2022, 1:41am

Do you have a snapshot of your data?

system · November 28, 2022, 1:41am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
My ElasticSearch Indexes have been mysteriously deleted, how do I debug the cause? Elasticsearch	11	13580	February 17, 2017
Indices got deleted suddenly Elasticsearch	9	1600	February 1, 2020
Indices all gone but i don't think i did it Elasticsearch	2	2270	February 9, 2017
Indices keep appearing after deleting /data directory Elasticsearch	4	734	June 28, 2019
No file on .security indices shards Elasticsearch	2	15	September 2, 2024

Indices deleted as a result of unauthorised access – how to restore?

Related topics