Why is elasticsearch user running SSHD?
This is most likely malware using an exploit in elastic search or java.
I have run in to the same issue where my tomcat7 user gets compromised and there are the same processes running that you have.
There should be the following files (or similar) in your /tmp folder owned by elastic+
.ECC6DFE919A382BADRR1A8CDFC9FB43AA0
zzt.pl
and possibly
mysql1
Once compromised the machine will be used for DDOS attacks, usually over UDP port 80.
To clean up, kill the offending processes, and delete all of the offending files in /tmp. This will speed up your machine for the time being, but whatever vulnerability is being exploited can still be used to gain access to you machine again. Digging in to this a little more it looks like a fix for elasticsearch can add script.disable_dynamic: true
to elasticsearch.yml. Still no fix for tomcat however...
Make sure the elastic+ user doesn't have root access or any elevated privileges as they could use those to exploit your box even more.
This exploit popped up in late July and I was only able to find information on Chinese forums. Using google translate I got some good info, but still no solution.
Here is the link with some information, they now mention elastic search as well as tomcat: http://my.oschina.net/abcfy2/blog/292159
UPDATE
For the tomcat exploit, I have found out that the exploit being used may be a struts2 vulnerability. I would recommend updating to the latest version of struts2.
I'm on version 0.90.10 and don't have SSHD running user elastic+.
~$ ps -ef | grep elastic
nonroot 1647 1627 0 10:24 pts/0 00:00:00 grep --color=auto elastic
elastic+ 5322 1 1 May09 ? 1-02:38:50 /usr/lib/jvm/java-7-openjdk-amd64//bin/java -Xms256m -Xmx1g -Xss256k -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Delasticsearch -Des.pidfile=/var/run/elasticsearch.pid -Des.path.home=/usr/share/elasticsearch -cp :/usr/share/elasticsearch/lib/elasticsearch-0.90.10.jar:/usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/lib/sigar/* -Des.default.config=/etc/elasticsearch/elasticsearch.yml -Des.default.path.home=/usr/share/elasticsearch -Des.default.path.logs=/var/log/elasticsearch -Des.default.path.data=/var/lib/elasticsearch -Des.default.path.work=/tmp/elasticsearch -Des.default.path.conf=/etc/elasticsearch org.elasticsearch.bootstrap.ElasticSearch