Check your Elastic Search installation - AVForums was hacked Saturday 7th March

Clickfinity said:
I wasn't aware of the security issue so thanks for the heads-up; mine is now pointing to localhost [127.0.0.1] - it had defaulted to using my server's external IP address.
Click to expand...
Could you please let me know how to find that out? I got my installation checked but want to be absolutely sure.
 
MattW said:
So was your elasticsearch bound to a public facing ip address?
Click to expand...

I would never ever open an elastic search port (or any other port beside 80/443) to the public.
This was the main reason for the hack. You should ask the person responsible about why this has not been taken care of at your last security audit..
 
MattW said:
Code: 
grep -i network.host /etc/elasticsearch/elasticsearch.yml
Click to expand...


Also after running that as Matt said, if you are on a public IP, you can check your processes running for something running with iptables in the name with an extra letter. The most common exploit version for this was run as ./boot/iptablesb making someone without a lot of Linux knowledge think it was just something common that iptables ran from boot. You will also notice your server getting more and more laggy over a short period of time as the script run outbound DDoS commands and flood time increases the longer the script runs undetected.
 
xenBoost Mike said:
Also after running that as Matt said, if you are on a public IP, you can check your processes running for something running with iptables in the name with an extra letter. The most common exploit version for this was run as ./boot/iptablesb making someone without a lot of Linux knowledge think it was just something common that iptables ran from boot. You will also notice your server getting more and more laggy over a short period of time as the script run outbound DDoS commands and flood time increases the longer the script runs undetected.
Click to expand...
interesting what does ./boot/iptablesb do exactly ? open up a iptables on compromised server to allow them to do outbound DDOS attacks ?

if ./boot/iptablesb is malware of some form, then having linux malware detect (maldet) and clamav installed too would help I suppose.

edit: I see http://security.stackexchange.com/questions/58862/logging-server-compromised-iptables-and-iptablex
 
Last edited:
HWS said:
I would never ever open an elastic search port (or any other port beside 80/443) to the public.
This was the main reason for the hack. You should ask the person responsible about why this has not been taken care of at your last security audit..
Click to expand...

Bingo. Anyone that got hit by this means their security was flawed to begin with. First thing to do when setting up a server is block all ports and then only open those that require public access.

Leaving services exposed that don't need to be is really dangerous.
 

Similar threads

ebikes.com
  • Solved
XF 2.2 XF 2.28 Patch with Elastic search only returning 400 pages
Replies
8
Views
500
ebikes.com
ebikes.com
O
  • Question Question
Enhanced Search continues to give error messages hourly.
Replies
2
Views
1K
oneobgynmd
O
M
XF 2 Customised search to look inside XFMG Category Title and Description
Replies
1
Views
753
Mikethemix
M
Paul B
  • Locked
  • Sticky
  • Question Question
XenForo Cloud FAQ
Replies
0
Views
5K
Paul B
Paul B
tristan9
Xenforo and edge caches
Replies
5
Views
1K
motowebmaster
motowebmaster
Top Bottom