New Index "pleasereadthis"

[pranavtiwary15]

When I opened my Kibana dashboard today, I saw that its asking my for index pattern, I have lost all my dashboard. Also in elastic search I can see a Index with name "pleasereadthis". Even When I configured the index pattern still i can't see my dashboard. Seems like all kibana conf has gone. There is no saved visualize or a dashboard that I created. By default when we attach kibana to elastic search where we pushed metrics, we see some dashboard and visulize chart. But i couldnt see any even after I created a default index pattern for kibana.

This page lists every field in the [stagemonitor-metrics-]YYYY.MM.DD index : My default index

Not sure what is this. A hack ?

I have hosted my kibana and elastisearch on same machine on aws. I can see below indexes in my elastic pattern.

Also it shows me only data from 3rd Feb, though I never deleted any data.

health status index pri rep docs.count docs.deleted store.size pri.store.size yellow open stagemonitor-external-requests-2017.02.06 5 1 55843 0 45mb 45mb yellow open stagemonitor-metrics-2017.02.03 5 1 80358 0 9.2mb 9.2mb yellow open stagemonitor-requests-2017.02.06 5 1 92276 0 173.7mb 173.7mb yellow open stagemonitor-metrics-2017.02.04 5 1 626004 0 70.5mb 70.5mb yellow open stagemonitor-metrics-2017.02.05 5 1 631530 0 71mb 71mb yellow open stagemonitor-metrics-2017.02.06 5 1 290246 0 64.2mb 64.2mb yellow open pleasereadthis 5 1 0 0 795b 795b yellow open stagemonitor-requests-2017.02.04 5 1 231660 0 208.9mb 208.9mb yellow open stagemonitor-requests-2017.02.05 5 1 215682 0 191.7mb 191.7mb yellow open .kibana 1 1 4 0 31.3kb 31.3kb yellow open stagemonitor-requests-2017.02.03 5 1 23793 0 19.5mb 19.5mb yellow open stagemonitor-external-requests-2017.02.03 5 1 13327 0 5.1mb 5.1mb yellow open stagemonitor-external-requests-2017.02.04 5 1 133600 0 45.2mb 45.2mb yellow open stagemonitor-external-requests-2017.02.05 5 1 119997 0 41mb 41mb

[felixbarny]

It sounds like you might be a victim of a ransom attack. Basically, attacks are stealing data from unprotected Elasticsearch servers and only give back the data if you pay them bitcoins. To be sure that this is the case, open http:///pleasereadthis.

Read more on:

• http://www.zdnet.com/article/first-came-mass-mongodb-ransacking-now-copycat-ransoms-hit-elasticsearch/
• https://www.elastic.co/blog/protecting-against-attacks-that-hold-your-data-for-ransom
• http://code972.com/blog/2017/01/107-dont-be-ransacked-securing-your-elasticsearch-cluster-properly

[pranavtiwary15]

when I restarted my app server I can now see default dashboard, seems like some one hacked and deleted my index.

[pranavtiwary15]

@felixbarny : You are correct, never matter, that data was not imp. its test server.

I saw this : for pleasereadthis index.

{"pleasereadthis":{"aliases":{},"mappings":{},"settings":{"index":{"creation_date":"1486155138412","uuid":"kOCe9feRSQG3h9Ci9H4WWw","notice":"SEND 0.1 BITCOIN TO THIS WALLET: 1EomYAqKiyrH4oRAV4AVHoMDGkn9MkFFxN IF YOU WANT RECOVER YOUR DATABASE! SEND TO THIS EMAIL YOUR SERVER IP AFTER SENDING THE BITCOINS e145t1c@sigaint.org IF PAYMENT IS NOT MADE WITHIN 120 HOURS WE WILL LEAK THE DATABASE TO PUBLIC. HOW TO BUY BITCOIN: https://en.bitcoin.it/wiki/Buying_Bitcoins_(the_newbie_version)","number_of_replicas":"1","number_of_shards":"5","version":{"created":"2040099"}}},"warmers":{}}}