Suspicious connections on ES

Hi,

Recently I find something odd using lsof:

$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port

I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8f8b3f05-5294-4330-81d2-2e98370caf39%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Also, I've noticed there're many suspicious files in /tmp, like:

$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby

Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:

Hi,

Recently I find something odd using lsof:

$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port

I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Is your ES instance open to the world?
Check your ES logs as well.
On 22/04/2015 8:44 pm, "Jason Zhang" mock2u@gmail.com wrote:

Also, I've noticed there're many suspicious files in /tmp, like:

$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby

Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:

Hi,

Recently I find something odd using lsof:

$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port

I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X_Bt%3DsPX_ZZ%3DgpqPQrJbieby4g2M8fK-hqYs4RkTrxmew%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Yes, but I've configured iptables to avoid those foreign unknown
connections like:

$ sudo iptables -I INPUT -p tcp -s my_ip --dport 9200:9400 -j ACCEPT
$ sudo iptables -P INPUT -j DROP

I forgot to say that I set script.disable_dynamic: false to run some
external js scripts.
At that time, ES was still v1.3.7.

On Thursday, April 23, 2015 at 8:57:42 AM UTC+8, Mark Walkom wrote:

Is your ES instance open to the world?
Check your ES logs as well.
On 22/04/2015 8:44 pm, "Jason Zhang" <moc...@gmail.com <javascript:>>
wrote:

Also, I've noticed there're many suspicious files in /tmp, like:

$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby

Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:

Hi,

Recently I find something odd using lsof:

$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port

I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

It looks like your instance has been breached.

You may want to take a look at

On 23 April 2015 at 11:46, Jason Zhang mock2u@gmail.com wrote:

Yes, but I've configured iptables to avoid those foreign unknown
connections like:

$ sudo iptables -I INPUT -p tcp -s my_ip --dport 9200:9400 -j ACCEPT
$ sudo iptables -P INPUT -j DROP

I forgot to say that I set script.disable_dynamic: false to run some
external js scripts.
At that time, ES was still v1.3.7.

On Thursday, April 23, 2015 at 8:57:42 AM UTC+8, Mark Walkom wrote:

Is your ES instance open to the world?
Check your ES logs as well.
On 22/04/2015 8:44 pm, "Jason Zhang" moc...@gmail.com wrote:

Also, I've noticed there're many suspicious files in /tmp, like:

$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby

Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:

Hi,

Recently I find something odd using lsof:

$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port

I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.

--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearc...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X9OmrDLU6BdpP5k0Arh4Thcn65bMWb7RN%2B3Yq%3DowD9KLw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Yes, and those processes continue to ddos other ips...

I've stopped those processes and delete the binary files.
Also, disable the dynamic scripting.

On Thursday, April 23, 2015 at 11:50:19 AM UTC+8, Mark Walkom wrote:

It looks like your instance has been breached.

You may want to take a look at
https://www.elastic.co/blog/scripting-security/

On 23 April 2015 at 11:46, Jason Zhang <moc...@gmail.com <javascript:>>
wrote:

Yes, but I've configured iptables to avoid those foreign unknown
connections like:

$ sudo iptables -I INPUT -p tcp -s my_ip --dport 9200:9400 -j ACCEPT
$ sudo iptables -P INPUT -j DROP

I forgot to say that I set script.disable_dynamic: false to run some
external js scripts.
At that time, ES was still v1.3.7.

On Thursday, April 23, 2015 at 8:57:42 AM UTC+8, Mark Walkom wrote:

Is your ES instance open to the world?
Check your ES logs as well.
On 22/04/2015 8:44 pm, "Jason Zhang" moc...@gmail.com wrote:

Also, I've noticed there're many suspicious files in /tmp, like:

$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby

Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:

Hi,

Recently I find something odd using lsof:

$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port

I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.

--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearc...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/738c1f34-4954-428b-b9a7-f5d78d32160d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.