It looks like your instance has been breached. You may want to take a look at https://www.elastic.co/blog/scripting-security/
On 23 April 2015 at 11:46, Jason Zhang <moc...@gmail.com> wrote: > Yes, but I've configured iptables to avoid those foreign unknown > connections like: > > ``` > $ sudo iptables -I INPUT -p tcp -s my_ip --dport 9200:9400 -j ACCEPT > $ sudo iptables -P INPUT -j DROP > ``` > > I forgot to say that I set `script.disable_dynamic: false` to run some > external js scripts. > At that time, ES was still v1.3.7. > > On Thursday, April 23, 2015 at 8:57:42 AM UTC+8, Mark Walkom wrote: >> >> Is your ES instance open to the world? >> Check your ES logs as well. >> On 22/04/2015 8:44 pm, "Jason Zhang" <moc...@gmail.com> wrote: >> >>> Also, I've noticed there're many suspicious files in /tmp, like: >>> >>> ``` >>> $ ls -al /tmp >>> 26000 >>> 32 >>> 991linux >>> conf.n >>> elasticsearch/ >>> gates.lock >>> git >>> icp >>> Intelip >>> Intelips >>> Intelnet >>> Intelnets >>> jrtj >>> log >>> .lz1429583673 >>> xudp >>> xx32 >>> zlwanby >>> ``` >>> >>> Is my machine be hacked? >>> >>> On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote: >>>> >>>> Hi, >>>> >>>> Recently I find something odd using lsof: >>>> >>>> ``` >>>> $ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq >>>> freeBSD my_ip:random_port->unknown_ip:port >>>> Intelnets my_ip:random_port->unknown_ip:port >>>> .lz142958 my_ip:random_port->unknown_ip:port >>>> service (ESTABLISHED) >>>> sh (ESTABLISHED) >>>> xudp my_ip:random_port->unknown_ip:port >>>> zlwanby my_ip:random_port->unknown_ip:port >>>> ``` >>>> >>>> I've configured iptables to allow my ips to connect. >>>> Why can those foreign ip still connect to my ES? >>>> >>>> I use ES v1.3.9. >>>> >>>> Thanks in advance. >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "elasticsearch" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to elasticsearc...@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com >>> <https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> For more options, visit https://groups.google.com/d/optout. >>> >> -- > You received this message because you are subscribed to the Google Groups > "elasticsearch" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to elasticsearch+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com > <https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "elasticsearch" group. To unsubscribe from this group and stop receiving emails from it, send an email to elasticsearch+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/elasticsearch/CAEYi1X9OmrDLU6BdpP5k0Arh4Thcn65bMWb7RN%2B3Yq%3DowD9KLw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.