You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Randall Chamberlin <ra...@alliedvaughn.com> on 2018/02/09 23:00:57 UTC

Re: ./fs-manager process run under solr

I am experiencing this too.  For me the "solr" user is running "fs-manager"
from with the directory "/var/tmp/.X1M-Unix.  There is a "config.json",
"out.log" and "xmrig.log" file present.  The json looks like this:
{
    "algo": "cryptonight",
    "av": 0,
    "background": true,
    "colors": false,
    "cpu-affinity": null,
    "cpu-priority": null,
    "donate-level": 2,
    "log-file": "xmrig.log",
    "max-cpu-usage": 85,
    "print-time": 60,
    "retries": 2,
    "retry-pause": 3,
    "safe": false,
    "syslog": false,
    "threads": null,
    "pools": [
                {
            "url": "pool-proxy.com:8080",
            "user": "user",
            "pass": "x",
            "keepalive": true,
            "nicehash": false
        }
    ]
}



--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html

Re: ./fs-manager process run under solr

Posted by Shawn Heisey <ap...@elyograg.org>.

On 2/9/2018 4:00 PM, Randall Chamberlin wrote:
> I am experiencing this too.  For me the "solr" user is running "fs-manager"
> from with the directory "/var/tmp/.X1M-Unix.  There is a "config.json",
> "out.log" and "xmrig.log" file present.  The json looks like this:
> {
>      "algo": "cryptonight",
>      "av": 0,
>      "background": true,
>      "colors": false,
>      "cpu-affinity": null,
>      "cpu-priority": null,
>      "donate-level": 2,
>      "log-file": "xmrig.log",
>      "max-cpu-usage": 85,
>      "print-time": 60,
>      "retries": 2,
>      "retry-pause": 3,
>      "safe": false,
>      "syslog": false,
>      "threads": null,
>      "pools": [
>                  {
>              "url": "pool-proxy.com:8080",
>              "user": "user",
>              "pass": "x",
>              "keepalive": true,
>              "nicehash": false
>          }
>      ]
> }

Further research with this new information suggests that this is a part 
of a cryptomining botnet.  If you think you can trust the following 
link, here's some information:

https://malware.news/t/inside-one-xmrig-botnet-miner/17692

The xmrig software is an actual legitimate cryptomining program, but it 
is apparently being installed on vulnerable webservers by malware and 
generating profit for those who created the malware.

If this is malware as I suspect, you're going to need to figure out what 
parts of your system are publicly accessible and vulnerable, patch them, 
and clean up the malware.  Alternatively you could completely rebuild 
the server with newer software versions so it's completely clean and 
cannot be infected again.

Thanks,
Shawn