Why is elasticsearch user running SSHD?

ubuntu rootkit

This is most likely malware using an exploit in elastic search or java.

I have run in to the same issue where my tomcat7 user gets compromised and there are the same processes running that you have.

There should be the following files (or similar) in your /tmp folder owned by elastic+

.ECC6DFE919A382BADRR1A8CDFC9FB43AA0
zzt.pl

and possibly

mysql1

Once compromised the machine will be used for DDOS attacks, usually over UDP port 80.

To clean up, kill the offending processes, and delete all of the offending files in /tmp. This will speed up your machine for the time being, but whatever vulnerability is being exploited can still be used to gain access to you machine again. Digging in to this a little more it looks like a fix for elasticsearch can add script.disable_dynamic: true to elasticsearch.yml. Still no fix for tomcat however...

Make sure the elastic+ user doesn't have root access or any elevated privileges as they could use those to exploit your box even more.

This exploit popped up in late July and I was only able to find information on Chinese forums. Using google translate I got some good info, but still no solution.

Here is the link with some information, they now mention elastic search as well as tomcat: http://my.oschina.net/abcfy2/blog/292159

UPDATE

For the tomcat exploit, I have found out that the exploit being used may be a struts2 vulnerability. I would recommend updating to the latest version of struts2.


I'm on version 0.90.10 and don't have SSHD running user elastic+.

~$ ps -ef | grep elastic
nonroot    1647  1627  0 10:24 pts/0    00:00:00 grep --color=auto elastic
elastic+  5322     1  1 May09 ?        1-02:38:50 /usr/lib/jvm/java-7-openjdk-amd64//bin/java -Xms256m -Xmx1g -Xss256k -Djava.awt.headless=true -XX:+UseParNewGC -XX:+UseConcMarkSweepGC -XX:CMSInitiatingOccupancyFraction=75 -XX:+UseCMSInitiatingOccupancyOnly -XX:+HeapDumpOnOutOfMemoryError -Delasticsearch -Des.pidfile=/var/run/elasticsearch.pid -Des.path.home=/usr/share/elasticsearch -cp :/usr/share/elasticsearch/lib/elasticsearch-0.90.10.jar:/usr/share/elasticsearch/lib/*:/usr/share/elasticsearch/lib/sigar/* -Des.default.config=/etc/elasticsearch/elasticsearch.yml -Des.default.path.home=/usr/share/elasticsearch -Des.default.path.logs=/var/log/elasticsearch -Des.default.path.data=/var/lib/elasticsearch -Des.default.path.work=/tmp/elasticsearch -Des.default.path.conf=/etc/elasticsearch org.elasticsearch.bootstrap.ElasticSearch

Related

No signal on monitor after plug it to a linux box
Alternative for sudo
How to connect 2 LAN each one with its own DSL connection?
How do you auto-type the contents of the clipboard from the host into a guest Virtual Box instance?
Combine in- and outgoing mail in Thunderbird in one folder
Linux: aliases when using `screen`
How to create a shortcut to PC Settings?
How do you replace the logon shell with iexplore?
Is it possible to hide the SSID of the Windows 7 soft AP
Confusion about Positive Curvature in Holomorphic Bundles.
Theorems that give sufficient condition for a $C^{\infty}$ function to be analytic
How to sample from a copula?