Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	글쓴이	날짜	조회 수
400	banana pi에 hive 0.13.1+mysql(metastore)설치	총관리자	2014.09.09	2406
399	AIX 7.1에 MariaDB 10.2 소스 설치	총관리자	2016.09.24	2373
398	Cacti로 Hadoop 모니터링 하기	구퍼	2013.03.12	2367
397	kafka broker기동시 brokerId가 달라서 기동에 실패하는 경우 조치방법	총관리자	2016.05.02	2337
396	jupyter, zeppelin, rstudio를 이용하여 spark cluster에 job를 실행시키기 위한 정보	총관리자	2018.04.13	2335
395	hadoop설치시 오류	총관리자	2013.12.18	2313
394	메이븐 (maven) 설치 및 이클립스 연동하기	구퍼	2013.03.06	2280
393	hadoop설치시 참고사항	구퍼	2013.03.08	2131
392	W/F수행후 Logs not available for 1. Aggregation may not to complete. 표시되며 로그내용이 보이지 않은 경우	총관리자	2020.05.08	2110
391	hbase에 필요한 jar들	구퍼	2013.04.01	2100
390	Hive java connection 설정	구퍼	2013.04.01	2013
389	Hadoop 설치 및 시작하기	구퍼	2013.03.06	1951
388	hbase shell 필드 검색 방법	총관리자	2015.05.24	1901
387	VisualVM 1.3.9을 이용한 spark-submit JVM 모니터링을 위한 설정및 spark-submit실행 옵션	총관리자	2016.10.28	1891
386	Hadoop wordcount 소스 작성	구퍼	2013.03.06	1888
385	Spark 2.1.1 clustering(5대) 설치(YARN기반)	총관리자	2016.04.22	1882
384	java.lang.RuntimeException: org.apache.hadoop.hive.ql.metadata.HiveException: Hive Runtime Error: Unable to deserialize reduce input key from...오류해결방법	총관리자	2015.06.16	1785
383	hadoop 2.6.0에 sqoop2 (1.99.5) server및 client설치 == fail	총관리자	2015.06.11	1770
382	hive에서 생성된 external table에서 hbase의 table에 값 insert하기	총관리자	2014.04.11	1748
381	access=WRITE, inode="staging":ubuntu:supergroup:rwxr-xr-x 오류	총관리자	2014.07.05	1719

Bigdata, Semantic IoT, Hadoop, NoSQL

Bigdata, Hadoop ecosystem, Semantic IoT등의 프로젝트를 진행중에 습득한 내용을 정리하는 곳입니다.
필요한 분을 위해서 공개하고 있습니다. 문의사항은 gooper@gooper.com로 메일을 보내주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0

A personal place to organize information learned during the development of such Hadoop, Hive, Hbase, Semantic IoT, etc.
We are open to the required minutes. Please send inquiries to gooper@gooper.com.