Hi, I had a couple of exploits in the last 2 weeks in my CentOS 5.7 with a trojan iptablex. Apparently it does a DDoS and, after, opens connections somewhere else. There are reported cases of connections open to someone at China Telecom.
If you look processes in your server, you will find something as: root 4252 632 0 18:44 ? 00:00:00 /boot/.IptabLex root 4260 624 0 18:45 ? 00:00:00 /boot/.IptabLes This is the second time happening to me and in both cases root is compromised so it requires a full server reinstall. In the first case, I though the problem could come from Tomcat 7 which is having quite a few vulnerabilities last months (http://tomcat.apache.org/security-7.html) so I upgraded to Tomcat 8.0.8, latest release. However, problem reproduced again after fully reinstalling the server. In this second time I have found that ports 9200 and 9300 are open in my VPS by my hosting provider and I found some other cases of iptablex trojan attacking machines though Elastic Search ports. I know, they should not be open. You can find an increasingly number of reported cases on internet pointing to ES (and also Tomcat/struts) http://nerdanswer.com/answer.php?q=524925 http://security.stackexchange.com/questions/58862/logging-server-compromised-iptables-and-iptablex So, has any other user in this group experienced the same? -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/f96fa6c7-a722-4bc3-9a4e-84385ceb11ac%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
