• Creation
  • Validation
  • Communication & fix
  • Disclosure

SMMBoost.ru / Elasticsearch cluster exposed

reported 2021-09-15

Risk

This Kibana AND Elasticsearch is leaking over multiples IPs ( 655 found so far ) in AS50340.

194.87.160.36 5601 kibana Russia high false 2,318,941 rows 344.0 MB
194.87.64.42 5601 kibana Russia high false 2,311,603 rows 343.3 MB
194.58.155.27 9200 elasticsearch Russia high false 2,310,936 rows 343.2 MB
194.87.172.25 9200 elasticsearch Russia high false 2,303,614 rows 342.1 MB
195.58.51.192 9200 elasticsearch Russia high false 2,285,702 rows 339.9 MB
194.87.221.221 5601 kibana Russia high false 2,276,056 rows 338.7 MB
194.87.161.189 9200 elasticsearch Russia high false 2,275,585 rows 338.7 MB
194.87.160.217 5601 kibana Russia high false 2,261,361 rows 337.0 MB
194.87.62.239 5601 kibana Russia high false 2,247,894 rows 336.3 MB
194.87.160.203 9200 elasticsearch Russia high false 2,253,759 rows 336.2 MB
194.87.221.143 5601 kibana Russia high false 2,254,343 rows 336.1 MB
194.87.162.93 9200 elasticsearch Russia high false 2,245,149 rows 334.9 MB
194.87.220.157 9200 elasticsearch Russia high false 2,217,099 rows 333.7 MB
194.87.221.137 9200 elasticsearch Russia high false 2,235,689 rows 333.6 MB
194.87.220.87 9200 elasticsearch Russia high false 2,207,863 rows 330.2 MB
194.87.220.98 5601 kibana Russia high false 2,201,506 rows 329.1 MB
194.87.172.117 9200 elasticsearch Russia high false 2,157,437 rows 328.8 MB
195.58.51.89 5601 kibana Russia high false 2,184,768 rows 327.7 MB
194.87.220.104 9200 elasticsearch Russia high false 2,170,597 rows 327.1 MB
195.58.51.182 9200 elasticsearch Russia high false 2,179,296 rows 326.7 MB

Impact

The APM logs contains api logs with dumped tokens. This is how smmboost was identified.

Exposure

Exposure is critical since the service has been found open on more than 600 IPs.

IP:
194.87.172.51
Port:
9200
Detected protocol:
elasticsearch
Vulnerable URL:
http://194.87.172.51:9200
Indices: 11, document count: 5640322, size: 673.4 MB
Found index apm-7.10.2-metric-2021.09.14 with 2204196 documents (211.9 MB)
Found index apm-7.10.2-metric-2021.09.15 with 2289381 documents (213.2 MB)
Found index apm-7.10.2-error-2021.09.14 with 290711 documents (82.5 MB)
Found index apm-7.10.2-onboarding-2021.09.13 with 5 documents (35.0 kB)
Found index apm-7.10.2-error-2021.09.15 with 158517 documents (60.6 MB)
Found index apm-7.10.2-transaction-2021.09.14 with 78204 documents (23.0 MB)
Found index apm-7.10.2-transaction-2021.09.15 with 38108 documents (11.8 MB)
Found index apm-7.10.2-error-2021.09.13 with 53929 documents (15.4 MB)
Found index apm-7.10.2-transaction-2021.09.13 with 8409 documents (2.7 MB)
Found index .kibana_1 with 50 documents (55.9 kB)
Found index apm-7.10.2-metric-2021.09.13 with 518812 documents (52.2 MB)
Found by ElasticSearchExplorePlugin 2021-09-15
Report created by    BloodyShell  2021-09-15
Report approved by    BloodyShell  2021-09-15
New PDF report generated by system 2021-09-15
Report dispatched to ...@... by system 2021-09-15
Report dispatched to ...@... by system 2021-09-15
Report edited by    BloodyShell  2021-09-15
New PDF report generated by system 2021-09-15
Report marked as fixed by    BloodyShell  2021-09-16
Report closed by    BloodyShell  2021-09-16
New PDF report generated by system 2021-09-16
Report edited by    BloodyShell  2021-09-17
New PDF report generated by system 2021-09-17
BloodyShell commented 2021-09-17: approved shows in report

AS few IPs look closed but many are still open in the 194.87.64.26/16 range

New PDF report generated by system 2021-09-17
Report comment dispatched to support@smmboost.ru by system 2021-09-17
Report comment dispatched to mail@southpeak.ru by system 2021-09-17
system commented 2021-09-17: approved shows in report

Email from: support@smmboost.ru

Hello!

Hm, we can’t see it. Can you please send the link for example?

Пт, 17 сент. 2021 г. в 15:16, <
f19013bb-8bac-4eb9-9cb0-a056eb09e53a@reports.leakix.net>:

> Hello,
>
> A new comment has been added to a LeakIX report your are subscribed to.
> Report ID f19013bb-8bac-4eb9-9cb0-a056eb09e53a
> <http://leakix.net/reports/f19013bb-8bac-4eb9-9cb0-a056eb09e53a>
> Owner *SMMBoost.ru*
> Title *Elasticsearch cluster exposed*
> User BloodyShell
> Comment
>
> AS few IPs look closed but many are still open in the 194.87.64.26/16 range
>
> Thanks for your time!
> LeakIX prevention system
> support@leakix.net
> https://leakix.net/reports
>
--
*С уважением, *
*Команда SmmBoost *

Report comment dispatched to BloodyShell by system 2021-09-17
Report comment dispatched to WLVh_FoEWp by system 2021-09-17
Report comment dispatched to megabob by system 2021-09-17
Report comment dispatched to iampritam by system 2021-09-17
BloodyShell commented 2021-09-17: approved shows in report

Sorry, it seems it's indeed fixed.

The last record we had is on 2021-09-16 11:02 and appeared in today's daily.

Thanks for your time !

New PDF report generated by system 2021-09-17
Report comment dispatched to support@smmboost.ru by system 2021-09-17
Report comment dispatched to mail@southpeak.ru by system 2021-09-17
Report edited by    BloodyShell  2021-09-17
New PDF report generated by system 2021-09-17
Report edited by    BloodyShell  2021-09-17
New PDF report generated by system 2021-09-17
Report comment 53653a approved by    BloodyShell  2021-10-07
New PDF report generated by system 2021-10-07
Report comment dispatched to BloodyShell by system 2021-10-07
Report comment dispatched to support@smmboost.ru by system 2021-10-07
Report comment dispatched to mail@southpeak.ru by system 2021-10-07
Information
Owner SMMBoost.ru
Created 2021-09-15 13:38
Updated 2021-10-07 17:44
Fixed true

Contacts
s...@smmboost.ru
m...@southpeak.ru

Status
Status closed
Hosting contacted false
CERT contacted false

Download report