09.07.2014 15:59

Elastic Search being hacked automatically today

At the moment we are seeing a lot of automatic scanning and hacking of Elastic Search installations worldwide.  Please make sure that port 9200 is locked down in case you run ES.

IOCs:

  • C&C IP address:   119.1.109.43  (China)
  • C&C Port: 10991
  • AV analysis: Zillya: Trojan.Agent.Linux.5 Avast: ELF:Elknot-H [Trj] Kaspersky: Backdoor.Linux.Mayday.g DrWeb: Linux.DDoS.7 VIPRE: Backdoor.Linux.Elknot.f (v) Jiangmin: Backdoor/Linux.ju Microsoft: DoS:Linux/Elknot.F ESET-NOD32: Linux/Agent.F.Gen Ikarus: DoS.Linux.Elknot Scanned: 2014-07-09 00:47:38 - 53 scans - 9 detections (16.0%)
  • Analysis of similar malware: http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.html 

Author: L. Aaron Kaplan