Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
690	[Hive canary]Hive에 Metastore canary red alert및 hive log파일에 Duplicate entry '123456' for key 'NOTIFICATION_LOG_EVENT_ID'가 발생시 조치사항	2023.03.10	5352
689	mysql-server 기동시 Do you already have another mysqld server running on port 오류 발생할때 확인및 조치방법	2017.05.14	5345
688	banana pi에(lubuntu)에 hadoop설치하고 테스트하기 - 성공	2014.07.05	5344
687	빅데이터 분석을 위한 샘플 빅데이터 파일 다운로드 사이트	2014.04.28	5338
686	[CDP7.1.7]impala-shell수행시 간헐적으로 "-k requires a valid kerberos ticket but no valid kerberos ticket found." 오류	2023.11.16	5311
685	org.apache.hadoop.hbase.PleaseHoldException: Master is initializing	2013.03.15	5305
684	HBase, BigTable, Cassandra Schema Design	2013.03.15	5296
683	Hive Query Examples from test code (1 of 2)	2014.03.26	5247
682	ping 안될때.. networking restart 날려주면 잘됨..	2014.05.09	5219
681	[Kudu]ERROR: Unable to advance iterator for node with id '2' for Kudu table 'impala::core.pm0_abdasubjct': Network error: recv error from unknown peer: Transport endpoint is not connected (error 107)	2023.03.16	5212
680	HiveServer2인증을 PAM을 이용하도록 설정하는 방법	2018.07.21	5202
679	Windows7 64bit 환경에서 Apache Hadoop 2.7.1설치하기	2017.07.26	5195
678	kafka broker기동시 brokerId가 달라서 기동에 실패하는 경우 조치방법	2016.05.02	5189
677	의사분산모드에 hadoop설치및 ecosystem 환경 정리	2014.05.29	5170
676	Cloudera의 API를 이용하여 impala의 실행되었던 쿼리 확인하는 예시	2018.05.03	5145
675	[CDP7.1.3]Ranger WebUI에서 Error! Connection refused: Please check the KMS provider URL and whether the Ranager KMS is running발생시 조치 방법	2023.06.07	5140
674	서버 5대에 solr 5.5.0 설치하고 index data를 HDFS에 저장/search하도록 설치/설정하는 방법	2016.04.08	5137
673	[백업] 리눅스 시스템 백업하기 (Linux System Backup) - TAR 사용 시스템 전체 백업	2022.01.19	5131
672	Hive+mysql 설치 및 환경구축하기	2013.03.07	5123
671	[oozie]Oozie WF수행시 단계별 ID넘버링 비교/설명	2022.03.23	5115

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0