I'm facing a serious problem with my elasticsearch server.
I'm using ES 1.7 on a symfony2 project with fosElasticaBundle.
The ES index has been deleted two times today, and I can't figure out why.
Here are the log I can read in my cluster.log:
[cluster.metadata] [server] [index] deleting index
[cluster.metadata] [server] [warning] deleting index
[cluster.metadata] [server] [please_read] creating index, cause [api], templates [], shards [5]/[1], mappings []
[cluster.metadata] [server] [please_read] update_mapping [info] (dynamic)
The thing is that my ES never faced such kind of issue in the past monthes while the website was on pre-prod.
Do you think this can comes from an attack ? Or an configuration error ?
This is very likely coming from an attack. if you do a <Endpoint>/please_read/_search
you will probably see a note like
{
"_index": "please_read",
"_type": "info",
"_id": "AVmZfnjEAQ_HIp2JODbw",
"_score": 1.0,
"_source": {
"Info": "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip",
"Bitcoin Address": "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx",
"Email": "elasticsearch@mail2tor.com"
}
You should try to make your elasticsearch cluster installation more secure to avoid such downfalls.
There have also been reports of attacks on open to internet databases like mongo/elasticsearch eg. http://www.zdnet.com/article/first-came-mass-mongodb-ransacking-now-copycat-ransoms-hit-elasticsearch/
I concur with @dejavu013, this is most likely database ransomware, I would advise securing your elasticsearch with the free and opensource https://github.com/floragunncom/search-guard, or premium solutions like Elastic's Shield, now part of the Elastic X-Pack or Compose's Hosted Elasticsearch.
many elasticsearch clusters was attacked in the last week:
http://www.zdnet.com/article/first-came-mass-mongodb-ransacking-now-copycat-ransoms-hit-elasticsearch/
this is how you can secure it:
http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly
This was indeed an attack as @dejavu013 said.
I started to secure my datas by allowing only localhost to access to my elasticseach datas.
To do so, I've edited my config file elasticseach.yml and added those two lines :
networt.host: 127.0.0.1
http.port: 9200
So only localhost can access to the datas and make requests.