Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
690	dual table만들기	2014.05.16	4246
689	특정파일이 생성되어야 action이 실행되는 oozie job만들기(coordinator.xml)	2014.05.20	6733
688	source의 type을 spooldir로 하는 경우 해당 경로에 파일이 들어오면 파일단위로 전송함	2014.05.20	4446
687	hive에서 insert overwrite directory.. 로 하면 default column구분자는 'SOH'혹은 't'가 됨	2014.05.20	3595
686	import 혹은 export할때 hive파일의 default 구분자는 --input-fields-terminated-by "x01"와 같이 지정해야함	2014.05.20	6703
685	hiverserver2기동시 connection refused가 발생하는 경우 조치방법	2014.05.22	4647
684	hive query에서 mapreduce돌리지 않고 select하는 방법	2014.05.23	4435
683	oozie의 meta정보를 mysql에서 관리하기	2014.05.26	4968
682	hive job실행시 meta정보를 원격의 mysql에 저장하는 경우 설정방법	2014.05.28	5098
681	hadoop및 ecosystem에서 사용되는 명령문 정리	2014.05.28	6436
680	의사분산모드에 hadoop설치및 ecosystem 환경 정리	2014.05.29	5170
679	원보드pc인 bananapi를 이용하여 hadoop 클러스터 구성하기(준비물)	2014.05.29	6433
678	oozie job 구동시 JA009: User: hadoop is not allowed to impersonate hadoop 오류나는 경우	2014.06.02	3306
677	Cannot create /var/run/oozie/oozie.pid: Directory nonexistent오류	2014.06.03	4452
676	jsoup 사용 예제	2014.06.06	4337
675	2개 data를 join하고 마지막으로 code정보를 join하여 결과를 얻는 mr 프로그램	2014.06.30	3427
674	banana pi에(lubuntu)에 hadoop설치하고 테스트하기 - 성공	2014.07.05	5344
673	org.apache.hadoop.security.AccessControlException: Permission denied: user=hadoop, access=WRITE, inode="":root:supergroup:rwxr-xr-x 오류 처리방법	2014.07.05	5385
672	access=WRITE, inode="staging":ubuntu:supergroup:rwxr-xr-x 오류	2014.07.05	4638
671	banana pi(lubuntu)에서 한글 설정및 한글깨짐 문제 해결	2014.07.06	5637

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0