Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

A Hacker Has Wiped, Defaced More Than 15,000 Elasticsearch Servers (zdnet.com) 17

For the past two weeks, a hacker has been breaking into Elasticsearch servers that have been left open on the internet without a password and attempting to wipe their content, while also leaving the name of a cyber-security firm behind, trying to divert blame. From a report: According to security researcher John Wethington, one of the people who saw this campaign unfolding and who aided ZDNet in this report, the first intrusions began around March 24. The attacks appear to be carried with the help of an automated script that scans the internet for ElasticSearch systems left unprotected, connects to the databases, attempts to wipe their content, and then creates a new empty index called nightlionsecurity.com. The attacking script doesn't appear to work in all instances, though, as the nightlionsecurity.com index is also present in databases where the content has been left intact.
This discussion has been archived. No new comments can be posted.

A Hacker Has Wiped, Defaced More Than 15,000 Elasticsearch Servers

Comments Filter:
  • by ron_ivi ( 607351 ) <sdotno@NOSpAM.cheapcomplexdevices.com> on Friday April 03, 2020 @11:08AM (#59904834)
    If the vendor's not protecting the data - wiping them is probably the best thing the hacker could do to protect people's privacy.

    It's far better than leaving it open so that anyone can steal it.

    • by jwymanm ( 627857 )
      Exactly this. I almost feel like that should be a baked in self destruct feature in software if it can be accessed via public IP. This guy is definitely a whitehat.
    • Yep. I read the summary and said, "So?" If you don't even bother to password protect something and connect it to the internet, bad shit is guaranteed to happen to it at some point. That's not news.

      • The problem is that it isn't protected by default. We all know that you can't depend on end users to secure their own stuff, even if they are programmers or server admins. There needs to be a default setting that makes it so that only localhost can connect, and connecting from any other address requires a user name and strong password. This is the minimum. There is no reason to have server software that allows anybody to write/change data without a username and password or other type of authentication sy

    • Right,

      Security was a paid premium feature for ElasticSearch for a very long time as part of X-Pack. They tried to spin making X-Pack free as being some kind of magnanimous move on their part. However it was conveniently only after we started to see massive data dumps of personal information originating from insecure free tier ElasticSearch instances that they did the about face.

      Basic security should never be a premium feature.
    • by ceoyoyo ( 59147 )

      Agreed. This should be made explicitly legal, and encouraged as a public service. Anyone who sees potentially sensitive data sitting unprotected on the internet should consider it their civic duty to erase it and report the offender.

  • by Local ID10T ( 790134 ) <ID10T.L.USER@gmail.com> on Friday April 03, 2020 @12:54PM (#59905098) Homepage

    Now we know why there is no TP left.

  • An google ad for them says. Maybe more emphasis on security, with the removal of default and null passwords?

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...