可以将文章内容翻译成中文,广告屏蔽插件可能会导致该功能失效(如失效，请关闭广告屏蔽插件后再试):

问题:

I'm facing a serious problem with my elasticsearch server.

I'm using ES 1.7 on a symfony2 project with fosElasticaBundle.

The ES index has been deleted two times today, and I can't figure out why.

Here are the log I can read in my cluster.log:

[cluster.metadata] [server] [index] deleting index

[cluster.metadata] [server] [warning] deleting index

[cluster.metadata] [server] [please_read] creating index, cause [api], templates [], shards [5]/[1], mappings []

[cluster.metadata] [server] [please_read] update_mapping [info] (dynamic)

The thing is that my ES never faced such kind of issue in the past monthes while the website was on pre-prod.

Do you think this can comes from an attack ? Or an configuration error ?

回答1:

This is very likely coming from an attack. if you do a <Endpoint>/please_read/_search you will probably see a note like

     {
            "_index": "please_read",
            "_type": "info",
            "_id": "AVmZfnjEAQ_HIp2JODbw",
            "_score": 1.0,
            "_source": {
                "Info": "Your DB is Backed up at our servers, to restore send 0.5 BTC to the Bitcoin Address then send an email with your server ip",
                "Bitcoin Address": "12JNfaS2Gzic2vqzGMvDEo38MQSX1kDQrx",
                "Email": "elasticsearch@mail2tor.com"
            }

You should try to make your elasticsearch cluster installation more secure to avoid such downfalls.

There have also been reports of attacks on open to internet databases like mongo/elasticsearch eg. http://www.zdnet.com/article/first-came-mass-mongodb-ransacking-now-copycat-ransoms-hit-elasticsearch/

回答2:

I concur with @dejavu013, this is most likely database ransomware, I would advise securing your elasticsearch with the free and opensource https://github.com/floragunncom/search-guard, or premium solutions like Elastic's Shield, now part of the Elastic X-Pack or Compose's Hosted Elasticsearch.