1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Heavy server load, host pointed this out to us...

Discussion in 'Enhanced Search Support' started by Ludachris, Apr 14, 2015.

  1. Ludachris

    Ludachris Well-Known Member

    Our host was troubleshooting some heavy server loads and found that it was due to Elastisearch. Here's what they pointed out:
    Is this normal? Or should I be worried?
  2. rainmotorsports

    rainmotorsports Well-Known Member

    What is your hosting setup? Elastisearch is usually only appropriate for large VPS or dedicated servers. Not sure if load is as much a problem as memory is but still.
  3. Ludachris

    Ludachris Well-Known Member

    It's a dedicated server.
  4. Mike

    Mike XenForo Developer Staff Member

    What version of elasticsearch are you running? Is it publicly accessible?

    Seeing files called uname, cmd, and .sshd make me think your server has been compromised (likely by using an older version of elasticsearch/one with dynamic scripting enabled without firewalling it).
    HWS likes this.
  5. imthebest

    imthebest Formerly Super120

    Yup, pretty sure that your server got hacked.

    You should perform a clean install of the OS and then restore your files/DB from a clean backup. Then install the latest version of ES 1.5.1 and make sure to properly configure your iptables.
  6. Ludachris

    Ludachris Well-Known Member

    It is elasticsearch version 1.4.0.
  7. Ludachris

    Ludachris Well-Known Member

    So if this happened several days ago then I'd potentially have to restore the DB to a week old backup? Ouch.
    Last edited: Apr 15, 2015
  8. imthebest

    imthebest Formerly Super120

    No that necessary to restore from such an old DB backup. I was talking basically to the PHP files of XenForo.

    Try running the File Health Check tool.
  9. HWS

    HWS Well-Known Member

    I also think you got hacked. You should never run elasticsearch at a public accessible port. This is a huge security problem.
  10. Ludachris

    Ludachris Well-Known Member

    Can you explain what that means? I don't remember anything about public accessible port in the set up or configuration instructions when it was installed.
  11. HWS

    HWS Well-Known Member

    I don't know your setup. But given the assumption you run a single server for web, database, elasticsearch and all the other stuff (like java, etc) you most likely have an open port (usually 9200) for elasticsearch/java at your servers main ip address.

    If you haven't blocked ALL non-local access to that port with a firewall it is just a matter of time until you'll get hacked.

    I would find it to be a good idea to add this warning to the XFES installation instructions page.
    Last edited: Apr 15, 2015
  12. HWS

    HWS Well-Known Member

    And IF you got hacked, you need to take your whole server down ASAP and restore the OS from scratch. After that you need to install all daemons again you need for your site. Also XF has to be installed from scratch. In addition I would compare the most current database backup with a backup before your server got hacked and check if suspicious database entries have been made. If not, you can use the most recent backup for your restore so your members won't loose any data.

    It is also very important that you change ALL passwords at your server. Including the os root and user passwords, the database passwords and ALL passwords of all your XF user accounts. The intruder could have got possession of them from your database.

    Getting hacked on the server root level is the most problematic and painful scenario you can experience with a server.
    Amaury likes this.
  13. Ludachris

    Ludachris Well-Known Member

    The host asked if ES can be run on localhost. Is that possible/recommended?
  14. RoldanLT

    RoldanLT Well-Known Member

    Mike Edge likes this.
  15. Mike Edge

    Mike Edge Formerly Da Bookie Mon

    Should always run localhost for any application not requiring outside world access. If clustering, you should run it using private networking/tunneling if possible.
  16. Ludachris

    Ludachris Well-Known Member

    Thanks guys.
    Mike Edge likes this.

Share This Page