09.07.2014 15:59
Elastic Search being hacked automatically today
At the moment we are seeing a lot of automatic scanning and hacking of Elastic Search installations worldwide. Â Please make sure that port 9200 is locked down in case you run ES.IOCs:
- C&C IP address: Â 119.1.109.43 Â (China)
- C&C Port:Â 10991
- AV analysis: Zillya: Trojan.Agent.Linux.5 Avast: ELF:Elknot-H [Trj] Kaspersky: Backdoor.Linux.Mayday.g DrWeb: Linux.DDoS.7 VIPRE: Backdoor.Linux.Elknot.f (v) Jiangmin: Backdoor/Linux.ju Microsoft: DoS:Linux/Elknot.F ESET-NOD32: Linux/Agent.F.Gen Ikarus: DoS.Linux.Elknot Scanned: 2014-07-09 00:47:38 - 53 scans - 9 detections (16.0%)
- Analysis of similar malware:Â http://blog.malwaremustdie.org/2014/05/linux-reversing-is-fun-toying-with-elf.htmlÂ