Prevent unknown index(s) created regularly

chakkasm · October 3, 2016, 6:43am

Elasticsearch version: elasticsearch-2.3.4

Plugins installed: NONE

JVM version: 1.8.0_60

OS version: 2.6.39-400.283.2.el6uek.x86_64

Since couple of weeks, every weekend some unknown indexes are getting created in elasticsearch instance. We don't have any batch jobs on this machine and these are dedicated servers for elasticsearch.
I have installed elasticsearch by downloading zip copy from elasticsearch git hub site.

I ran the following command to see if any plugins installed but shows none.

-bash-4.1$ bin/plugin list
Installed plugins in /XXX/XXX/XXXXX/elasticsearch-2.3.4/plugins:

No plugin detected
-bash-4.1$

The following directories are present in my "module" directory
lang-expression
lang-groovy

reindex

"plugins" directory is empty.

When I look at the logs I see the following index related error and an index with name "calendar.php" is created in my elasticsearch instance. I have deleted this last week but this came up again this week

[2016-10-02 14:31:45,392][WARN ][rest.suppressed ] path: /calendar.php, params: {show=full_month, index=calendar.php}
SettingsException[Failed to load settings from [PHPSESSID=%0d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d%0aContent-Length:%2034%0d%0a%0d%0a%3chtml%3eQualysTest%3c/html%3e%0d%0a&s=1&submit=1]]; nested: ElasticsearchParseException[malformed, expected settings to start with 'object', instead was [VALUE_STRING]];
at org.elasticsearch.common.settings.Settings$Builder.loadFromSource(Settings.java:1056)
at org.elasticsearch.action.admin.indices.create.CreateIndexRequest.settings(CreateIndexRequest.java:176)
at org.elasticsearch.action.admin.indices.create.CreateIndexRequest.source(CreateIndexRequest.java:373)
at org.elasticsearch.rest.action.admin.indices.create.RestCreateIndexAction.handleRequest(RestCreateIndexAction.java:47)
at org.elasticsearch.rest.BaseRestHandler.handleRequest(BaseRestHandler.java:54)
at org.elasticsearch.rest.RestController.executeHandler(RestController.java:205)
at org.elasticsearch.rest.RestController.dispatchRequest(RestController.java:166)
at org.elasticsearch.http.HttpServer.internalDispatchRequest(HttpServer.java:128)
at org.elasticsearch.http.HttpServer$Dispatcher.dispatchRequest(HttpServer.java:86)
at org.elasticsearch.http.netty.NettyHttpServerTransport.dispatchRequest(NettyHttpServerTransport.java:449)
at org.elasticsearch.http.netty.HttpRequestHandler.messageReceived(HttpRequestHandler.java:61)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.elasticsearch.http.netty.pipelining.HttpPipeliningHandler.messageReceived(HttpPipeliningHandler.java:60)
at org.jboss.netty.channel.SimpleChannelHandler.handleUpstream(SimpleChannelHandler.java:88)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpChunkAggregator.messageReceived(HttpChunkAggregator.java:145)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.handler.codec.http.HttpContentDecoder.messageReceived(HttpContentDecoder.java:108)
at org.jboss.netty.channel.SimpleChannelUpstreamHandler.handleUpstream(SimpleChannelUpstreamHandler.java:70)
at org.jboss.netty.channel.DefaultChannelPipeline.sendUpstream(DefaultChannelPipeline.java:564)
at org.jboss.netty.channel.DefaultChannelPipeline$DefaultChannelHandlerContext.sendUpstream(DefaultChannelPipeline.java:791)
at org.jboss.netty.channel.Channels.fireMessageReceived(Channels.java:296)
at org.jboss.netty.handler.codec.frame.FrameDecoder.unfoldAndFireMessageReceived(FrameDecoder.java:459)
at org.jboss.netty.handler.codec.replay.ReplayingDecoder.callDecode(ReplayingDecoder.java:536)

Appreciate any help in identifying what is the root cause of this index creation. This is very isolated machine and only I login into this.

Similar to calendar.php, there are lot of other unknown indexes are present.
and i have the following settings in elasticsearch.yml,

action.destructive_requires_name: true
action.auto_create_index: +myIndex,-
index.mapper.dynamic: false

Please let me know what is the root cause and how to prevent index creation

warkolm · October 3, 2016, 6:53am

Usually these are created by automatic network scans from security/auditing tools.

You either need to install Shield to block the attempt, or put a proxy/firewall in front of ES that tells you where the request is coming from and/or block it.

You should use the packages here - Download Elasticsearch | Elastic

chakkasm · October 3, 2016, 1:07pm

Thanks for the update.. I think I got the package from Elastic site not from GIT hub as I mentioned earlier..Will download again and check on a different instance.,,