Hi, I had a couple of exploits in the last 2 weeks in my CentOS 5.7 with a
trojan iptablex. Apparently it does a DDoS and, after, opens connections
somewhere else. There are reported cases of connections open to someone at
If you look processes in your server, you will find something as:
root 4252 632 0 18:44 ? 00:00:00 /boot/.IptabLex
root 4260 624 0 18:45 ? 00:00:00 /boot/.IptabLes
This is the second time happening to me and in both cases root is
compromised so it requires a full server reinstall. In the first case, I
though the problem could come from Tomcat 7 which is having quite a few
vulnerabilities last months (http://tomcat.apache.org/security-7.html) so I
upgraded to Tomcat 8.0.8, latest release.
However, problem reproduced again after fully reinstalling the server. In
this second time I have found that ports 9200 and 9300 are open in my VPS
by my hosting provider and I found some other cases of iptablex trojan
attacking machines though Elastic Search ports. I know, they should not be
You can find an increasingly number of reported cases on internet pointing
to ES (and also Tomcat/struts)
So, has any other user in this group experienced the same?
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to email@example.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/f96fa6c7-a722-4bc3-9a4e-84385ceb11ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.