Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	글쓴이	날짜	조회 수
280	[HIVESERVER2]프로세스의 thread및 stack trace를 덤프하는 방법(pstack, jstack)	총관리자	2022.05.11	150
279	No broker partitions consumed by consumer thread오류 발생시 확인/조치할 사항	총관리자	2016.09.02	151
278	spark 시동중 applicationHistory 로그 디렉토리가 없다고 하면서 기동되지 않는 경우	총관리자	2018.06.01	153
277	format된 namenode를 다른 서버에서 다시 format했을때 오류내용	총관리자	2016.09.22	155
276	운영중인 상태에서 kafka topic삭제하고 재생성하여 처리되지 않은 메세지 모두 삭제하기	총관리자	2016.10.24	156
275	cloudera의 hue에서 사용자가 사용한 쿼리 목록	총관리자	2020.02.07	156
274	CDH 5.4.4 버전에서 hive on tez (0.7.0)설치하기	총관리자	2016.01.14	158
273	Cloudera가 사용하는 서비스별 디렉토리	총관리자	2018.03.29	159
272	spark notebook 0.7.0설치및 설정	총관리자	2016.11.14	160
271	missing block및 관련 파일명 찾는 명령어	총관리자	2021.02.20	160
270	hbase CustomFilter만들기 (0.98.X이상)	총관리자	2015.05.08	162
269	spark2.0.0에서 hive 2.0.1 table을 읽어 출력하는 예제 소스(HiveContext, SparkSession, SQLContext)	총관리자	2017.03.09	163
268	JAVA_HOME을 명시적으로 지정하는 방법	총관리자	2018.06.04	165
267	spark-sql실행시 ERROR log: Got exception: java.lang.NumberFormatException For input string: "2000ms" 오류발생시 조치사항	총관리자	2016.06.09	167
266	oozie WF에서 참고할만한 내용	총관리자	2019.07.18	168
265	javax.net.ssl.SSLHanshakeException: SSLHandshakeException invoking https://mainCluster.gooper.com:7183/api/v1/users: sun.security.validator.ValidatorException: No trusted certificate found	gooper	2022.06.29	169
264	Embedded PostgreSql설정을 외부의 MariaDB로변경하기 [1]	총관리자	2018.05.22	170
263	HDFS Balancer설정및 수행	총관리자	2018.03.21	171
262	kerberos설정된 상태의 spooldir->memory->hdfs로 저장하는 과정의 flume agent configuration구성 예시	총관리자	2019.05.30	172
261	cloudera서비스 중지및 기동순서	총관리자	2020.02.14	178

Bigdata, Semantic IoT, Hadoop, NoSQL

Bigdata, Hadoop ecosystem, Semantic IoT등의 프로젝트를 진행중에 습득한 내용을 정리하는 곳입니다.
필요한 분을 위해서 공개하고 있습니다. 문의사항은 gooper@gooper.com로 메일을 보내주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0

A personal place to organize information learned during the development of such Hadoop, Hive, Hbase, Semantic IoT, etc.
We are open to the required minutes. Please send inquiries to gooper@gooper.com.