Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
327	kafka에서 메세지 중복 consume이 발생할 수 있는 상황	2018.10.23	3801
326	Mountable HDFS on CentOS 6.x(hadoop 2.7.2의 nfs기능을 이용)	2016.11.24	3803
325	kudu의 내부 table명 변경하는 방법	2022.11.10	3808
324	Scala를 이용한 Streaming예제	2018.03.08	3809
323	SASL configuration failed: javax.security.auth.login.LoginException: java.lang.NullPointerException 오류 해결방법	2015.04.02	3811
322	Not enough replica available for query at consistency QUORUM가 발생하는 경우	2017.06.21	3814
321	streaming작업시 입력된 값에 대한 사본을 만들게 되는데 이것이 실패했을때 발생하는 경고메세지	2017.04.03	3841
320	Apache Toree설치(Jupyter에서 Scala, PySpark, SparkR, SQL을 사용할 수 있도록 하는 Kernel)	2018.04.17	3848
319	impala external 테이블 생성시 컬럼과 라인 구분자를 지정하여 테이블 생성하는 예시	2020.02.20	3850
318	Cloudera Manager재설치하는 동안 "Host is in bad health"오류가 발생하는 경우 확인/조치 사항	2018.05.24	3858
317	TransmitData() to failed: Network error: Recv() got EOF from remote (error 108) 오류 현상	2019.02.15	3865
316	javax.net.ssl.SSLHanshakeException: SSLHandshakeException invoking https://mainCluster.gooper.com:7183/api/v1/users: sun.security.validator.ValidatorException: No trusted certificate found	2022.06.29	3867
315	Cloudera가 사용하는 서비스별 포트	2018.03.29	3872
314	impala session type별 표시되는 정보로 구분하는 방법	2021.05.25	3872
313	Namenode Metadata백업하는 방법	2020.02.10	3888
312	CDP에서 AD와 Kerberos를 활용하여 인증 환경을 구축하는 3가지 방법	2022.06.10	3891
311	서버중 slave,worker,regionserver만 재기동해야 할때 필요한 기동스크립트및 사용방법	2017.02.03	3900
310	lateral view 예제	2014.09.18	3903
309	lagom의 online-auction-java프로젝트 실행시 외부의 kafka/cassandra를 사용하도록 설정하는 방법	2017.10.12	3914
308	Impala daemon기동시 "Could not create temporary timezone file"오류 발생시 조치사항	2018.03.29	3931

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0