lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shawn Heisey <apa...@elyograg.org>
Subject Re: solr crypto mining hack...
Date Sun, 26 Aug 2018 02:10:46 GMT
On 8/25/2018 12:59 PM, humanitarian wrote:
> I am struggling to fight an attack were the solr user is being used to
> crate files used for mining cryptocurrencies. The files are being
> created in the /var/tmp and /tmp folders.
>
> It will use 100% of the CPU.
>
> I am looking for help in stopping these attacks.
>
> All files are created under the solr user.

At least some of what I'm writing is a repeat of what was said in 
SOLR-12700 -- an issue in Jira with a description that's extremely 
similar to the subject of this message.

The Solr server should never be exposed to untrusted parties, especially 
the open Internet.  This is probably our number one recommendation for 
security.  If an attacker cannot reach a server, they cannot compromise it.

There are a lot of possible vectors in Solr that could have been used to 
compromise the system.  Most of the vulnerabilities that have been found 
are in third-party dependencies that Solr utilizes to create certain 
functionality.

This is not the first time I've encountered this.  On at least one other 
occasion, a user found weird software on their system running as the 
solr user.  It turned out to be a crypto-mining program.

If you have Solr logs from when your system was compromised, we can 
check them to see if there's anything useful. There may not be anything 
useful.   One of the better logs for tracking this sort of thing is the 
Jetty request log, but this log is not enabled by default in the Solr 
download.  This log will be the only way you can get the IP address 
making requests.

Lock down your Solr server(s) so that only trusted network addresses can 
reach them.  This will need to be done outside of Solr.  The operating 
system will have a firewall available, and your network equipment might 
also have filtering capability.

Thanks,
Shawn


Mime
View raw message