The company uses Ucloud cloud hosting services, today morning suddenly told that there is a server of the outlet flow surge in foreign contract amount within a short time reached 1 0 0 million, and all the UDP type, the first feeling was: Gee, could there be dark, is when the broiler!
Immediately login to the corresponding server, the first to use up to view traffic conditions
As can be seen the outlet flow of a good scare, 1 minute accumulated within 700M of traffic, check out what these 2 IP addresses, one is in the United States, one is in Zhejiang telecommunications;
Quickly view the running processes, find out suspected processes, but also really have found that:
[. ECC6DFE919A382]this process also want to impersonate system process, doubt is great, but the/tmp/freeBSD is also a very strange thing, and the 4 9 8 the UID of the corresponding user is elasticsearch, and remember yesterday deployed Elasticsearch + Logstash, in order to achieve a log statistics system, will not be ES there is a bug right, continue to view the reason
! wKiom1PXf96xKGEEAAO1e8i1ER4561.jpgsuspect/tmp/freeBSD is to be hung it to the program, unfortunately, has been deleted, you cannot view the
The culprit identified, detailed reasons also need a detailed investigation, so now the most important is to solve the problem, quickly kill off the process, once again check up found flow down quickly, more confirms our judgment;
Next you need to find the hijacked hung it to the cause and specifically the hijacking of the way to post-menopausal patients, and through an external search engine is also soon locate the cause of the problem, is the“Elasticsearch remote arbitrary code execution”vulnerability:
ElasticSearch with scripting(scripting)functions, you can easily check out the data re-processing; ElasticSearch with the script engine is MVEL, this engine does not do any protection, or the sand box, it can directly execute arbitrary code.; and
In ElasticSearch 1.2 previous versions, the default configuration is to open the dynamic scripting functionality, so the user can directly through the http request, execution of arbitrary code.; and
In fact, the official is aware of this loophole in the document with instructions:
First, you should not run Elasticsearch as the root user, as this would allow a script to access or do anything on your server, without limitations. Second, you should not expose Elasticsearch directly to users, but instead have a proxy application inbetween.