It looks like your instance has been breached.
You may want to take a look at
https://www.elastic.co/blog/scripting-security/
On 23 April 2015 at 11:46, Jason Zhang <moc...@gmail.com> wrote:
> Yes, but I've configured iptables to avoid those foreign unknown
> connections like:
>
> ```
> $ sudo iptables -I INPUT -p tcp -s my_ip --dport 9200:9400 -j ACCEPT
> $ sudo iptables -P INPUT -j DROP
> ```
>
> I forgot to say that I set `script.disable_dynamic: false` to run some
> external js scripts.
> At that time, ES was still v1.3.7.
>
> On Thursday, April 23, 2015 at 8:57:42 AM UTC+8, Mark Walkom wrote:
>>
>> Is your ES instance open to the world?
>> Check your ES logs as well.
>> On 22/04/2015 8:44 pm, "Jason Zhang" <moc...@gmail.com> wrote:
>>
>>> Also, I've noticed there're many suspicious files in /tmp, like:
>>>
>>> ```
>>> $ ls -al /tmp
>>> 26000
>>> 32
>>> 991linux
>>> conf.n
>>> elasticsearch/
>>> gates.lock
>>> git
>>> icp
>>> Intelip
>>> Intelips
>>> Intelnet
>>> Intelnets
>>> jrtj
>>> log
>>> .lz1429583673
>>> xudp
>>> xx32
>>> zlwanby
>>> ```
>>>
>>> Is my machine be hacked?
>>>
>>> On Wednesday, April 22, 2015 at 6:16:15 PM UTC+8, Jason Zhang wrote:
>>>>
>>>> Hi,
>>>>
>>>> Recently I find something odd using lsof:
>>>>
>>>> ```
>>>> $ sudo lsof -p pid | grep -i tcp | awk '{print $1, $10}' | sort | uniq
>>>> freeBSD my_ip:random_port->unknown_ip:port
>>>> Intelnets my_ip:random_port->unknown_ip:port
>>>> .lz142958 my_ip:random_port->unknown_ip:port
>>>> service (ESTABLISHED)
>>>> sh (ESTABLISHED)
>>>> xudp my_ip:random_port->unknown_ip:port
>>>> zlwanby my_ip:random_port->unknown_ip:port
>>>> ```
>>>>
>>>> I've configured iptables to allow my ips to connect.
>>>> Why can those foreign ip still connect to my ES?
>>>>
>>>> I use ES v1.3.9.
>>>>
>>>> Thanks in advance.
>>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "elasticsearch" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to elasticsearc...@googlegroups.com.
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com
>>> <https://groups.google.com/d/msgid/elasticsearch/4dd30173-a043-4dc4-b71a-1732d5860640%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>> --
> You received this message because you are subscribed to the Google Groups
> "elasticsearch" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to elasticsearch+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com
> <https://groups.google.com/d/msgid/elasticsearch/95cf0055-b274-4164-8330-16b6498e834d%40googlegroups.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/CAEYi1X9OmrDLU6BdpP5k0Arh4Thcn65bMWb7RN%2B3Yq%3DowD9KLw%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
