A Hacker Has Wiped, Defaced More Than 15,000 Elasticsearch Servers

For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame. From a report: According to security researcher John Wethington, one of the people who saw this campaign unfolding and who aided ZDNet in this report, the first intrusions began around March 24. The attacks appear to be carried with the help of an automated script that scans the internet for ElasticSearch systems left unprotected, connects to the databases, attempts to wipe their content, and then creates a new empty index called nightlionsecurity.com. The attacking script doesn't appear to work in all instances, though, as the nightlionsecurity.com index is also present in databases where the content has been left intact.

Wiping those is a public service.

[ron_ivi]

If the vendor's not protecting the data - wiping them is probably the best thing the hacker could do to protect people's privacy.

It's far better than leaving it open so that anyone can steal it.

Re:

[jwymanm]

Exactly this. I almost feel like that should be a baked in self destruct feature in software if it can be accessed via public IP. This guy is definitely a whitehat.

Re:

[apoc.famine]

Yep. I read the summary and said, "So?" If you don't even bother to password protect something and connect it to the internet, bad shit is guaranteed to happen to it at some point. That's not news.

Re:

[CastrTroy]

The problem is that it isn't protected by default. We all know that you can't depend on end users to secure their own stuff, even if they are programmers or server admins. There needs to be a default setting that makes it so that only localhost can connect, and connecting from any other address requires a user name and strong password. This is the minimum. There is no reason to have server software that allows anybody to write/change data without a username and password or other type of authentication sy

Re:

[sydbarrett74]

I wish I could mod your post Insightful +1. :(

Re:

[SirDrinksAlot]

Right,

Security was a paid premium feature for ElasticSearch for a very long time as part of X-Pack. They tried to spin making X-Pack free as being some kind of magnanimous move on their part. However it was conveniently only after we started to see massive data dumps of personal information originating from insecure free tier ElasticSearch instances that they did the about face.

Basic security should never be a premium feature.

Re:

[ceoyoyo]

Agreed. This should be made explicitly legal, and encouraged as a public service. Anyone who sees potentially sensitive data sitting unprotected on the internet should consider it their civic duty to erase it and report the offender.

Re:

[fred911]

"I didn't know Elastigirl started a company."

Fuck!
  When did Gumby leave Pokey? I thought he as equusexual.

Poser

Re:

[Rick Zeman]

I thought he as equusexual.

Poser

An equusexual? Is that like Catherine the Great having sex with a horse?

Over 15000 wiped!

[Local ID10T]

Now we know why there is no TP left.

Re:

[DontBeAMoran]

Yeah, because it got replaced by Turbo C.

Re:

[hraponssi]

Who knows, maybe Borland branded TP could make a comeback? Think about wiping with some fluffy Borland after a good session sitting down..

“With an emphasis on speed, scale, and relev

[AnonCowardSince1997]

An google ad for them says. Maybe more emphasis on security, with the removal of default and null passwords?