Re: ./fs-manager process run under solr
On 2/9/2018 4:00 PM, Randall Chamberlin wrote:
I am experiencing this too. For me the "solr" user is running "fs-manager"
from with the directory "/var/tmp/.X1M-Unix. There is a "config.json",
"out.log" and "xmrig.log" file present. The json looks like this:
{
"algo": "cryptonight",
"av": 0,
"background": true,
"colors": false,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 2,
"log-file": "xmrig.log",
"max-cpu-usage": 85,
"print-time": 60,
"retries": 2,
"retry-pause": 3,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "pool-proxy.com:8080",
"user": "user",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
Further research with this new information suggests that this is a part
of a cryptomining botnet. If you think you can trust the following
link, here's some information:
https://malware.news/t/inside-one-xmrig-botnet-miner/17692
The xmrig software is an actual legitimate cryptomining program, but it
is apparently being installed on vulnerable webservers by malware and
generating profit for those who created the malware.
If this is malware as I suspect, you're going to need to figure out what
parts of your system are publicly accessible and vulnerable, patch them,
and clean up the malware. Alternatively you could completely rebuild
the server with newer software versions so it's completely clean and
cannot be infected again.
Thanks,
Shawn
Re: ./fs-manager process run under solr
I am experiencing this too. For me the "solr" user is running "fs-manager"
from with the directory "/var/tmp/.X1M-Unix. There is a "config.json",
"out.log" and "xmrig.log" file present. The json looks like this:
{
"algo": "cryptonight",
"av": 0,
"background": true,
"colors": false,
"cpu-affinity": null,
"cpu-priority": null,
"donate-level": 2,
"log-file": "xmrig.log",
"max-cpu-usage": 85,
"print-time": 60,
"retries": 2,
"retry-pause": 3,
"safe": false,
"syslog": false,
"threads": null,
"pools": [
{
"url": "pool-proxy.com:8080",
"user": "user",
"pass": "x",
"keepalive": true,
"nicehash": false
}
]
}
--
Sent from: http://lucene.472066.n3.nabble.com/Solr-User-f472068.html
Re: ./fs-manager process run under solr
On 1/10/2018 12:19 PM, Andy Fake wrote: I use Solr 5.5, I recently notice a process a process ./fs-manager is run under user solr that take quite high CPU usage. I don't think I see such process before. I have never heard of this, and have never seen it. Searching the source code, I cannot find that string. What OS is Solr running on? How did you start it? Exactly what are you looking at when you see this "fs-manager" process? Thanks, Shawn
./fs-manager process run under solr
Hi, I use Solr 5.5, I recently notice a process a process ./fs-manager is run under user solr that take quite high CPU usage. I don't think I see such process before. Is that a legitimate process from Solr? Thanks.
