You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Randall Chamberlin <ra...@alliedvaughn.com> on 2018/02/09 23:00:57 UTC
Re: ./fs-manager process run under solr
I am experiencing this too. For me the "solr" user is running "fs-manager"
from with the directory "/var/tmp/.X1M-Unix. There is a "config.json",
"out.log" and "xmrig.log" file present. The json looks like this:
{
"algo": "cryptonight",
"av": 0,
"background": true,
"colors": false,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 2,
"log-file": "xmrig.log",
"max-cpu-usage": 85,
"print-time": 60,
"retries": 2,
"retry-pause": 3,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "pool-proxy.com:8080",
"user": "user",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
Re: ./fs-manager process run under solr
Posted by Shawn Heisey <ap...@elyograg.org>.
On 2/9/2018 4:00 PM, Randall Chamberlin wrote:
> I am experiencing this too. For me the "solr" user is running "fs-manager"
> from with the directory "/var/tmp/.X1M-Unix. There is a "config.json",
> "out.log" and "xmrig.log" file present. The json looks like this:
> {
> "algo": "cryptonight",
> "av": 0,
> "background": true,
> "colors": false,
> "cpu-affinity": null,
> "cpu-priority": null,
> "donate-level": 2,
> "log-file": "xmrig.log",
> "max-cpu-usage": 85,
> "print-time": 60,
> "retries": 2,
> "retry-pause": 3,
> "safe": false,
> "syslog": false,
> "threads": null,
> "pools": [
> {
> "url": "pool-proxy.com:8080",
> "user": "user",
> "pass": "x",
> "keepalive": true,
> "nicehash": false
> }
> ]
> }
Further research with this new information suggests that this is a part
of a cryptomining botnet. If you think you can trust the following
link, here's some information:
https://malware.news/t/inside-one-xmrig-botnet-miner/17692
The xmrig software is an actual legitimate cryptomining program, but it
is apparently being installed on vulnerable webservers by malware and
generating profit for those who created the malware.
If this is malware as I suspect, you're going to need to figure out what
parts of your system are publicly accessible and vulnerable, patch them,
and clean up the malware. Alternatively you could completely rebuild
the server with newer software versions so it's completely clean and
cannot be infected again.
Thanks,
Shawn