Elasticsearch servers actively targeted by botmasters

Elasticsearch is one of the most popular choices when it comes to enterprise search engines.

Unfortunately, a couple of remote code execution flaws (CVE-2015-5377, CVE-2015-1427) discovered and publicized earlier this year are being actively exploited by botnet operators to compromise these search servers and make them part of their malicious network.

According to AlienVault researchers, who have set up several honeypots designed to simulate Elasticsearch installations vulnerable to the above mentioned vulnerabilities, in the three months they kept them up and running, they were targeted with over 30 different bots.

Scanning of the honeypots began immediately, and the first exploit attempts happened a few days after setup.

“Coming from stage 0 (scans that are merely just GET / – requests) there is a simple way for an attacker to land an exploit: just three requests and you are owned,” the researchers noted.

“The exploit downloads a bot from different server that hosts various bots and files. After download, the scanning-server executes the bot on vulnerable installations. If the bot runs, it requests the IP for the C&C-master or uses a hardcoded IP and reports itself as ready, waiting for commands.”

Of the 30+ bots they managed to collect, only 15 actually run. They were either fBots (DDoS-Bots) or iBots (sophisticated bots that can download additional ones and then delete themselves).

Both typed of bots receive instructions from a C&C, but the existence of the former on the server will be more easily spotted – when active and firing traffic at targets, they do so on maximum speed, and any admin that monitors outgoing traffic will have no trouble spotting the unexplained increase.