Suspicious connections on ES

Jason_Zhang · April 22, 2015, 10:16am

Hi,

Recently I find something odd using lsof:

$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port

I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/8f8b3f05-5294-4330-81d2-2e98370caf39%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Jason_Zhang · April 22, 2015, 10:44am

Also, I've noticed there're many suspicious files in /tmp, like:

$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby

Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:

Hi,

Recently I find something odd using lsof:
$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port
I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

warkolm · April 23, 2015, 12:57am

Is your ES instance open to the world?
Check your ES logs as well.
On 22/04/2015 8:44 pm, "Jason Zhang" mock2u@gmail.com wrote:

Also, I've noticed there're many suspicious files in /tmp, like:
$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby
Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:
Hi,

Recently I find something odd using lsof:
$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port
I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X_Bt%3DsPX_ZZ%3DgpqPQrJbieby4g2M8fK-hqYs4RkTrxmew%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Jason_Zhang · April 23, 2015, 1:46am

Yes, but I've configured iptables to avoid those foreign unknown
connections like:

$ sudo iptables -I INPUT -p tcp -s my_ip --dport 9200:9400 -j ACCEPT
$ sudo iptables -P INPUT -j DROP

I forgot to say that I set script.disable_dynamic: false to run some
external js scripts.
At that time, ES was still v1.3.7.

On Thursday, April 23, 2015 at 8:57:42 AM UTC+8, Mark Walkom wrote:

Is your ES instance open to the world?
Check your ES logs as well.
On 22/04/2015 8:44 pm, "Jason Zhang" <moc...@gmail.com <javascript:>>
wrote:
Also, I've noticed there're many suspicious files in /tmp, like:
$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby
Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:
Hi,

Recently I find something odd using lsof:
$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port
I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

warkolm · April 23, 2015, 3:49am

It looks like your instance has been breached.

You may want to take a look at

On 23 April 2015 at 11:46, Jason Zhang mock2u@gmail.com wrote:

Yes, but I've configured iptables to avoid those foreign unknown
connections like:
$ sudo iptables -I INPUT -p tcp -s my_ip --dport 9200:9400 -j ACCEPT
$ sudo iptables -P INPUT -j DROP
I forgot to say that I set script.disable_dynamic: false to run some
external js scripts.
At that time, ES was still v1.3.7.

On Thursday, April 23, 2015 at 8:57:42 AM UTC+8, Mark Walkom wrote:
Is your ES instance open to the world?
Check your ES logs as well.
On 22/04/2015 8:44 pm, "Jason Zhang" moc...@gmail.com wrote:
Also, I've noticed there're many suspicious files in /tmp, like:
$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby
Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:
Hi,

Recently I find something odd using lsof:
$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port
I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.
--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearc...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X9OmrDLU6BdpP5k0Arh4Thcn65bMWb7RN%2B3Yq%3DowD9KLw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

Jason_Zhang · April 23, 2015, 4:12am

Yes, and those processes continue to ddos other ips...

I've stopped those processes and delete the binary files.
Also, disable the dynamic scripting.

On Thursday, April 23, 2015 at 11:50:19 AM UTC+8, Mark Walkom wrote:

It looks like your instance has been breached.

You may want to take a look at
Scripting and Security | Elastic Blog

On 23 April 2015 at 11:46, Jason Zhang <moc...@gmail.com <javascript:>>
wrote:
Yes, but I've configured iptables to avoid those foreign unknown
connections like:
$ sudo iptables -I INPUT -p tcp -s my_ip --dport 9200:9400 -j ACCEPT
$ sudo iptables -P INPUT -j DROP
I forgot to say that I set script.disable_dynamic: false to run some
external js scripts.
At that time, ES was still v1.3.7.

On Thursday, April 23, 2015 at 8:57:42 AM UTC+8, Mark Walkom wrote:
Is your ES instance open to the world?
Check your ES logs as well.
On 22/04/2015 8:44 pm, "Jason Zhang" moc...@gmail.com wrote:
Also, I've noticed there're many suspicious files in /tmp, like:
$ ls -al /tmp
26000
32
991linux
conf.n
elasticsearch/
gates.lock
git
icp
Intelip
Intelips
Intelnet
Intelnets
jrtj
log
.lz1429583673
xudp
xx32
zlwanby
Is my machine be hacked?

On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:
Hi,

Recently I find something odd using lsof:
$ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
freeBSD my_ip:random_port->unknown_ip:port
Intelnets my_ip:random_port->unknown_ip:port
.lz142958 my_ip:random_port->unknown_ip:port
service (ESTABLISHED)
sh (ESTABLISHED)
xudp my_ip:random_port->unknown_ip:port
zlwanby my_ip:random_port->unknown_ip:port
I've configured iptables to allow my ips to connect.
Why can those foreign ip still connect to my ES?

I use ES v1.3.9.

Thanks in advance.
--
You received this message because you are subscribed to the Google
Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to elasticsearc...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to elasticsearc...@googlegroups.com <javascript:>.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com
https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/738c1f34-4954-428b-b9a7-f5d78d32160d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.