ElasticSearch 被攻击勒索

Posted 2022-09-05 程序员超时空

index 莫名其妙被删除

Completed deletion of expired ML data

"message": "Successfully completed [ML] maintenance tasks";
"message": "[videos/****] deleting index";
"message": "[ch_goods/****] deleting index";
"message": "[rread_me/****] deleting index";

Successfully completed [ML] maintenance tasks 就是通过定时维护任务, 远程访问了ES执行了删除ES索引
就是这个软件: elasticsearch-curator

访问 rread_me 索引发现

"hits": [
            
                "_index": "rread_me",
                "_type": "_doc",
                "_id": "1",
                "_score": 1.0,
                "_source": 
                    "message": "All your data is a backed up. You must pay 0.015 BTC to **************1 48 hours for recover it. After 48 hours expiration we will leaked and exposed all your data. In case of refusal to pay, we will contact the General Data Protection Regulation, GDPR and notify them that you store user data in an open form and is not safe. Under the rules of the law, you face a heavy fine or arrest and your base dump will be dropped from our server! You can buy bitcoin here, does not take much time to buy https://localbitcoins.com with this guide https://localbitcoins.com/guides/how-to-buy-bitcoins After paying write to me in the mail with your DB IP: *****.li and you will receive a link to download your database dump."
                
            
        ]

怎么办呢
数据不多的话, 重新装一个ES, 就把端口什么的外网禁用, 找找系统还有什么漏洞, 这很明显就是被勒索了, 淦.