Deutsch | English
This blog does not contain official statements of CERT.at, only personal opinions of the individual contributors.

Elastic Search being hacked automatically today

2014/07/09

At the moment we are seeing a lot of automatic scanning and hacking of Elastic Search installations worldwide.  Please make sure that port 9200 is locked down in case you run ES.

IOCs:

  • C&C IP address:   119.1.109.43  (China)
  • C&C Port: 10991
  • AV analysis: Zillya: Trojan.Agent.Linux.5 Avast: ELF:Elknot-H [Trj] Kaspersky: Backdoor.Linux.Mayday.g DrWeb: Linux.DDoS.7 VIPRE: Backdoor.Linux.Elknot.f (v) Jiangmin: Backdoor/Linux.ju Microsoft: DoS:Linux/Elknot.F ESET-NOD32: Linux/Agent.F.Gen Ikarus: DoS.Linux.Elknot Scanned: 2014-07-09 00:47:38 - 53 scans - 9 detections (16.0%)
  • Analysis of similar malware: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html 

Author: L. Aaron Kaplan

Email: reports@cert.at
Phone: +43 1 5056416 78
more ...
Mac OS X tip: how to protect your mail client
2018/05/14 | Based on ...
Successful MISP workshop
2018/02/20 | Last week ...
more ...
Last Change: 2014/7/9 - 15:59:36
Haftungsausschluss / Data Protection & Privacy Policy