There has been a few comments in IRC about similar things happening, all due to ports 9200 and/or 9300 being open to the internet.
However, as you mentioned, you really shouldn't have ES directly accessible to the outside world Regards, Mark Walkom Infrastructure Engineer Campaign Monitor email: ma...@campaignmonitor.com web: www.campaignmonitor.com On 4 June 2014 05:38, 'Adolfo Rodriguez' via elasticsearch < elasticsearch@googlegroups.com> wrote: > Hi, I had a couple of exploits in the last 2 weeks in my CentOS 5.7 with a > trojan iptablex. Apparently it does a DDoS and, after, opens connections > somewhere else. There are reported cases of connections open to someone at > China Telecom. > > If you look processes in your server, you will find something as: > > root 4252 632 0 18:44 ? 00:00:00 /boot/.IptabLex > root 4260 624 0 18:45 ? 00:00:00 /boot/.IptabLes > > This is the second time happening to me and in both cases root is > compromised so it requires a full server reinstall. In the first case, I > though the problem could come from Tomcat 7 which is having quite a few > vulnerabilities last months (http://tomcat.apache.org/security-7.html) so > I upgraded to Tomcat 8.0.8, latest release. > > However, problem reproduced again after fully reinstalling the server. In > this second time I have found that ports 9200 and 9300 are open in my VPS > by my hosting provider and I found some other cases of iptablex trojan > attacking machines though Elastic Search ports. I know, they should not be > open. > > You can find an increasingly number of reported cases on internet pointing > to ES (and also Tomcat/struts) > > http://nerdanswer.com/answer.php?q=524925 > > http://security.stackexchange.com/questions/58862/logging-server-compromised-iptables-and-iptablex > > So, has any other user in this group experienced the same? > > -- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to elasticsearch+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/f96fa6c7-a722-4bc3-9a4e-84385ceb11ac%40googlegroups.com > <https://groups.google.com/d/msgid/elasticsearch/f96fa6c7-a722-4bc3-9a4e-84385ceb11ac%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEM624aU%3DGZ6fH3fUVuD4eo5g%2BsFVFuCUTKeWhP4AYRA8Pd%3D0A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.