from:"'Adolfo Rodriguez' via elasticsearch"

Re: iptablex trojan experiences?

2014-06-06 Thread &#x27;Adolfo Rodriguez&#x27; via elasticsearch

probably related 

http://bouk.co/blog/elasticsearch-rce/

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/b6207d97-8baa-4c27-9ecd-7da9933503ab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: iptablex trojan experiences?

2014-06-04 Thread &#x27;Adolfo Rodriguez&#x27; via elasticsearch

sorry if you took the message personally. Is your problem, not mine. I was 
not attacking you at all, rather saying that, in my opinion, software 
should fit for purpose and either prevent (when feasible) or warn about 
possible security holes. Just that. But not building additional security 
features beyond purpose (as I understood Richard was suggesting). So, 
basically the same that you are stating.
 

> It is just ridiculous to read that running applications under superuser 
> privileges and allowing world-wide access over the internet to a host with 
> user applications need "safe configuration options by default" and 
> "unnecessary burden must be prevented".
>

well, is ridiculous if you are google and have 2000 employees to create a 
couple of servlets. But if you have limited resources, and you are paying 
attention to other functionalities and working on beta, is not ridiculous. 
Is an assumed and controlled risk.

But do not blame others for your personal mistakes.
>

Can you please show me where I did that? I totally agree what you did here 
. No more 
question here. Sorry, you have blamed yourself, I did not.

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/a72a0161-91c5-47b3-a989-7dd8548f996a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: iptablex trojan experiences?

2014-06-04 Thread &#x27;Adolfo Rodriguez&#x27; via elasticsearch


*> ES with absolutely no security features*
 

> *However, I think software should fit for purpose and delegate security in 
> other specialized programs.*
>

just to clarify, I think there is not need of any additional security 
modules but, I agree that, any configuration option must be safe by 
default. And if any additional module is provided, make it optional to 
prevent unnecessary burden

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/79a862e2-713b-4c05-821f-70f505a6ee60%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: iptablex trojan experiences?

2014-06-04 Thread &#x27;Adolfo Rodriguez&#x27; via elasticsearch

This is exactly the kind of things I was planning for my next deployment: a 
jail and finer permission tuning (besides closing the port and changing 
flag configuration). Exactly I was running ES libraries as root embedded in 
a Tomcat app.

However, I think software should fit for purpose and delegate security in 
other specialized programs. Making the specific warnings, this policy looks 
ok to me.

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/d92b6677-35a3-4fec-b19f-813e854fce86%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: iptablex trojan experiences?

2014-06-03 Thread &#x27;Adolfo Rodriguez&#x27; via elasticsearch

Thanks for sharing your experiences

here is some sample code on how to exploit the system for version <1.2.0, 
port 9200 exposed to internet and flag setting script.disable_dynamic=false as 
is by default 

http://bouk.co/blog/elasticsearch-rce/#how_to_secure_against_this_vulnerability

regards

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/3a54a472-27ac-4c91-9494-b2cfd07dad30%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: iptablex trojan experiences?

2014-06-03 Thread &#x27;Adolfo Rodriguez&#x27; via elasticsearch

i was using release *elasticsearch-0.90.5* in my exploited server, so maybe 
this is already fixed in current release by disabling script.disable_dynamic 
by default

https://github.com/elasticsearch/elasticsearch/issues/5853

(besides not exposing port 9200 outside)

-- 
You received this message because you are subscribed to the Google Groups 
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/elasticsearch/3772e3b3-9b82-4018-8468-392ee2f1c4b0%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

iptablex trojan experiences?

2014-06-03 Thread &#x27;Adolfo Rodriguez&#x27; via elasticsearch

Hi, I had a couple of exploits in the last 2 weeks in my CentOS 5.7 with a
trojan iptablex. Apparently it does a DDoS and, after, opens connections
somewhere else. There are reported cases of connections open to someone at
China Telecom.

If you look processes in your server, you will find something as:

root 4252 632 0 18:44 ? 00:00:00 /boot/.IptabLex
root 4260 624 0 18:45 ? 00:00:00 /boot/.IptabLes

This is the second time happening to me and in both cases root is
compromised so it requires a full server reinstall. In the first case, I
though the problem could come from Tomcat 7 which is having quite a few
vulnerabilities last months (http://tomcat.apache.org/security-7.html) so I
upgraded to Tomcat 8.0.8, latest release.

However, problem reproduced again after fully reinstalling the server. In
this second time I have found that ports 9200 and 9300 are open in my VPS
by my hosting provider and I found some other cases of iptablex trojan
attacking machines though Elastic Search ports. I know, they should not be
open.

You can find an increasingly number of reported cases on internet pointing
to ES (and also Tomcat/struts)

http://nerdanswer.com/answer.php?q=524925
http://security.stackexchange.com/questions/58862/logging-server-compromised-iptables-and-iptablex

So, has any other user in this group experienced the same?

--
You received this message because you are subscribed to the Google Groups
"elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to elasticsearch+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/elasticsearch/f96fa6c7-a722-4bc3-9a4e-84385ceb11ac%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: iptablex trojan experiences?

Re: iptablex trojan experiences?

Re: iptablex trojan experiences?

Re: iptablex trojan experiences?

Re: iptablex trojan experiences?

Re: iptablex trojan experiences?

iptablex trojan experiences?

7 matches

Site Navigation

Mail list logo

Footer information