메뉴 건너뛰기

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.


*출처 : https://community.hortonworks.com/questions/191898/hdp-261-virus-crytalminer-drwho.html


HDP 2.6.1 Virus CrytalMiner (dr.who)

Question by Huy Duong May 16 at 01:00 PM hdp-2.6.0hdp-2.6.1

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

virus.png (70.3 kB)
avatar image
BEST ANSWER

Answer by Sandeep Nemuri  

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

 4 · Share
avatar image

Answer by Huy Duong 

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

 0 · Share
번호 제목 날짜 조회 수
407 Cloudera Hadoop and Spark Developer Certification 준비(참고) 2018.05.16 5461
406 AIX 7.1에 MariaDB 10.2 소스 설치 2016.09.24 5457
405 sqoop 1.4.4 설치및 테스트 2014.04.21 5449
404 Hive 사용법 및 쿼리 샘플코드 2013.03.07 5443
403 upsert구현방법(년-월-일 파티션을 기준으로) 및 테스트 script file 2018.07.03 5426
402 org.apache.hadoop.security.AccessControlException: Permission denied: user=hadoop, access=WRITE, inode="":root:supergroup:rwxr-xr-x 오류 처리방법 2014.07.05 5385
401 [Hive canary]Hive에 Metastore canary red alert및 hive log파일에 Duplicate entry '123456' for key 'NOTIFICATION_LOG_EVENT_ID'가 발생시 조치사항 2023.03.10 5353
400 mysql-server 기동시 Do you already have another mysqld server running on port 오류 발생할때 확인및 조치방법 2017.05.14 5346
399 banana pi에(lubuntu)에 hadoop설치하고 테스트하기 - 성공 file 2014.07.05 5344
398 [CDP7.1.7]impala-shell수행시 간헐적으로 "-k requires a valid kerberos ticket but no valid kerberos ticket found." 오류 2023.11.16 5313
397 org.apache.hadoop.hbase.PleaseHoldException: Master is initializing 2013.03.15 5306
396 HBase, BigTable, Cassandra Schema Design file 2013.03.15 5299
395 [CDP7.1.7]Oozie job에서 ERROR: Kudu error(s) reported, first error: Timed out: Failed to write batch of 774 ops to tablet 8003f9a064bf4be5890a178439b2ba91가 발생하면서 쿼리가 실패하는 경우 2024.01.05 5298
394 Hive Query Examples from test code (1 of 2) 2014.03.26 5247
393 Cloudera의 API를 이용하여 impala의 실행되었던 쿼리 확인하는 예시 2018.05.03 5230
392 [Kudu]ERROR: Unable to advance iterator for node with id '2' for Kudu table 'impala::core.pm0_abdasubjct': Network error: recv error from unknown peer: Transport endpoint is not connected (error 107) 2023.03.16 5212
391 HiveServer2인증을 PAM을 이용하도록 설정하는 방법 2018.07.21 5205
390 Windows7 64bit 환경에서 Apache Hadoop 2.7.1설치하기 2017.07.26 5203
389 kafka broker기동시 brokerId가 달라서 기동에 실패하는 경우 조치방법 2016.05.02 5190
388 [CDP7.1.3]Ranger WebUI에서 Error! Connection refused: Please check the KMS provider URL and whether the Ranager KMS is running발생시 조치 방법 2023.06.07 5143
위로