Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
287	beeline으로 접근시 "User: gooper is not allowed to impersonate anonymous (state=08S01,code=0)"가 발생하면서 "No current connection"이 발생하는 경우 조치	2018.04.15	4105
286	MongoDB에 있는 특정컬럼의 값을 casting(string->integer)하여 update하기 java 소스	2016.12.19	4106
285	hive metastore ERD	2018.09.20	4107
284	HUE를 사용할 사용자를 추가 하는 절차	2018.05.29	4113
283	hive 0.13.1 설치 + meta정보는 postgresql 9.3에 저장	2015.04.30	4115
282	like검색한 결과를 기준으로 집계를 수행하는 java 소스	2016.12.19	4115
281	MapReduce2.0(YARN)기반의 CDH5 설치시 생성되는 사용자및 권한 부여	2018.05.30	4129
280	[Sentry]HDFS의 ACL을 Sentry와 연동후 테스트	2020.06.02	4132
279	source, sink를 직접 구현하여 사용하는 예시	2019.05.30	4133
278	oozie 4.1 설치 - maven을 이용한 source compile on hadoop 2.5.2 with postgresql 9.3	2015.04.30	4144
277	"You are running Cloudera Manager in non-production mode.." warning메세지가 나타나지 않게 조치하는 방법	2018.05.23	4145
276	spark 2.3.0을 설치하가 위해서 parcel에 다음 url을 입력한다.	2018.07.15	4148
275	SQL문장과 Mongo에서 사용하는 명령어를 비교한 것입니다.	2015.09.30	4149
274	java.lang.OutOfMemoryError: unable to create new native thread오류 발생지 조치사항	2016.10.17	4160
273	Ubuntu 16.04 LTS에 4대에 Hadoop 2.8.0설치	2017.05.01	4160
272	hive metastore db중 TBLS, TABLE_PARAMS테이블 설명	2021.10.22	4164
271	[AD(LADP)] CDP1.7에서 AD및 Kerberos를 연동해도 각 노드에 os account, os group은 생성되어야 하지만 SSSD서비스를 이용하면 직접 생성될 필요가 없다.	2022.06.10	4164
270	DB별 JDBC 드라이버	2015.10.02	4178
269	hadoop의 data디렉토리를 변경하는 방법	2014.08.24	4181
268	not leader of this config: current role FOLLOWER 오류 발생시 확인방법	2022.01.17	4185

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0