Remember I
Just do not laugh, this is not a joke at all - the same server with the data of the same system was again open to the whole world.
Well, let's go find out...
ΠΠΈΡΠΊΠ»Π΅ΠΉΠΌΠ΅Ρ: Π²ΡΡ ΠΈΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π½ΠΈΠΆΠ΅ ΠΏΡΠ±Π»ΠΈΠΊΡΠ΅ΡΡΡ ΠΈΡΠΊΠ»ΡΡΠΈΡΠ΅Π»ΡΠ½ΠΎ Π² ΠΎΠ±ΡΠ°Π·ΠΎΠ²Π°ΡΠ΅Π»ΡΠ½ΡΡ
ΡΠ΅Π»ΡΡ
. ΠΠ²ΡΠΎΡ Π½Π΅ ΠΏΠΎΠ»ΡΡΠ°Π» Π΄ΠΎΡΡΡΠΏΠ° ΠΊ ΠΏΠ΅ΡΡΠΎΠ½Π°Π»ΡΠ½ΡΠΌ Π΄Π°Π½Π½ΡΠΌ ΡΡΠ΅ΡΡΠΈΡ
Π»ΠΈΡ ΠΈ ΠΊΠΎΠΌΠΏΠ°Π½ΠΈΠΉ. ΠΠ½ΡΠΎΡΠΌΠ°ΡΠΈΡ Π²Π·ΡΡΠ° Π»ΠΈΠ±ΠΎ ΠΈΠ· ΠΎΡΠΊΡΡΡΡΡ
ΠΈΡΡΠΎΡΠ½ΠΈΠΊΠΎΠ², Π»ΠΈΠ±ΠΎ Π±ΡΠ»Π° ΠΏΡΠ΅Π΄ΠΎΡΡΠ°Π²Π»Π΅Π½Π° Π°Π²ΡΠΎΡΡ Π°Π½ΠΎΠ½ΠΈΠΌΠ½ΡΠΌΠΈ Π΄ΠΎΠ±ΡΠΎΠΆΠ΅Π»Π°ΡΠ΅Π»ΡΠΌΠΈ.
To begin with, let me remind you a little of the chronology of events:
- On 12.04.2019/XNUMX/XNUMX (night), an Elasticsearch server was discovered that does not require authentication to connect.
- On 13.04.2019/XNUMX/XNUMX (morning), a notification was sent to the server owners.
- 13.04.2019/XNUMX/XNUMX (in the afternoon) the server "quietly" was removed from open access.
At the time of the first shutdown of the server, the Elasticsearch indexes looked like this:
And on 21.05.2019/16/00 at about XNUMX:XNUMX (Moscow time), the same Elasticsearch server, with the same (plus new) indexes, again appears in the public domain:
I couldn't believe my eyes when I saw (immediately after the performance at PHDays on the topic of detecting open databases) in the mail notification from our
However, no, it was not a glitch and after double-checking everything manually, at 01:25 already on 22.05.2019/XNUMX/XNUMX I again sent an alert to the same addresses as the first time.
Since the first closure, this server was scanned by Shodan 11 times and Elasticsearch was closed on it until May 21st.
Only on 24.05.2019/XNUMX/XNUMX in the morning this Elasticsearch disappeared from public access for the second time. During this time, the indices have grown solidly:
And if you look at the data (only significant information containing personal data of citizens) in the indices for the period from May 1 to May 22, then the picture is as follows:
- 127,525 entries in the index paygibdd
- 49,627 entries in the index shtrafov-net
- 162,282 entries in the index oplata-fssp
- 220,201 entries in the index gosoplata
An example of data from an index gosoplata:
An example of data from an index paygibdd:
Well, the icing on the cake was a letter from one of the addresses to which I sent alerts:
We received your letter about the open ElasticSearch - thanks for the information, the database was closed. The system administrator who reopened access was fired. The legal service is also preparing for submission to the Ministry of Internal Affairs for the Republic of Tatarstan a Statement on the signs of the presence in the actions of the system administrator of a composition under Articles 272 and 273 of the Criminal Code of the Russian Federation.
News about information leaks and insiders can always be found on my Telegram channel "
Source: habr.com