Elasticsearch vulnerability leads to DDoS malware on Amazon

Security professionals usually don’t have to worry about the search engines their organizations chose for plowing through corporate data.

But researchers at Kaspersky Labs say attackers are exploiting a vulnerability in the open source Elasticsearch engine to install distributed denial of service (DDoS) malware on Amazon and possibly other cloud servers.

The vulnerability was first written about earlier this year, and updated last week by a Kaspersky staffer, according to Computerworld U.S.

The problem is in Elasticsearch v. 1.1x and a scripting exploit. Users are urged to upgrade to version 1.2 or 1.3, which have dynamic scripting turned off by default.

Computerworld quotes a Kaspersky researcher saying attackers break into virtual machines run by Amazon EC2 customers by exploiting the vulnerability in Elasticsearch 1.1.x.

The attackers re-purpose known cve-2014-3120 proof-of-concept exploit code to deliver a perl webshell, Kaspersky says. “Gaining this foothold presents the attacker with bash shell access on the server. The script “” is fetched with wget and saved from the web host above to /tmp/zerl and run from there, providing the bash shell access to the attacker. Events in your index logs may suggest your server has fallen to this attack,” says Kaspersky’s Kurt Baumgartner.

The result is a high flow of UDP traffic, he wrote in a blog. But already the list of the DDoS victims include a large regional U.S. bank, a large electronics maker and a service provider in Japan.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web