메뉴 건너뛰기

검색창 닫기

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.


Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

총관리자 2018.06.09 23:07 조회 수 : 7849

*출처 : https://community.hortonworks.com/questions/191898/hdp-261-virus-crytalminer-drwho.html


HDP 2.6.1 Virus CrytalMiner (dr.who)

Question by Huy Duong May 16 at 01:00 PM hdp-2.6.0hdp-2.6.1

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

virus.png (70.3 kB)
 2  Show 1

2 Replies

· Add your reply
avatar image
BEST ANSWER

Answer by Sandeep Nemuri  · May 16 at 01:29 PM

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

 4 · Share
avatar image

Answer by Huy Duong · May 17 at 02:18 AM

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

 0 · Share
이 게시물을
이 글의 추천인 목록 목록
번호 제목 날짜 조회 수
407 Impala Admission Control 설정시 쿼리가 사용하는 메모리 사용량 판단 방법 2023.05.19 4840
406 [Atlas Server]org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=atlas/node01.gooper.com@GOOPER.COM, scope=default:atlas_janus, params=[table=default:atlas_janus,], action-CREATE)] 2023.05.15 4516
405 [Ranger]계정에 admin권한(grant, create등)의 권한 부여 방법 2023.04.18 4290
404 [DataNode]org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: hdfs/datanode03@GOOPER.COM from keytab hdfs.keytab오류 2023.04.18 9820
403 [KUDU] kudu tablet server여러가지 원인에 의해서 corrupted상태가 된 경우 복구방법 2023.03.28 4616
402 Hadoop Clsuter에 이미 포함된 host의 hostname변경시 처리 절차 2023.03.24 4445
401 [Kudu]ERROR: Unable to advance iterator for node with id '2' for Kudu table 'impala::core.pm0_abdasubjct': Network error: recv error from unknown peer: Transport endpoint is not connected (error 107) 2023.03.16 5209
400 hive의 메타정보 테이블을 MariaDB로 사용하는 경우 table comment나 column comment에 한글 입력시 깨지는 경우 utf8로 바꾸는 방법. 2023.03.10 4611
399 [Hive canary]Hive에 Metastore canary red alert및 hive log파일에 Duplicate entry '123456' for key 'NOTIFICATION_LOG_EVENT_ID'가 발생시 조치사항 2023.03.10 4772
398 [Impala TLS/SSL이슈]RangerAdminRESTClient.java:151] Failed to get response, Error is: TrustManager is not specified 2023.02.02 3961
397 [Kerberos]병렬 kinit 호출시 cache파일이 손상되어 Bad format in credentials cache 혹은 No credentials cache found 혹은 Internal credentials cache error 오류 발생시 2023.01.20 4515
396 [HA구성 이슈]oozie 2대를 L4로 HA구성했을때 발생하는 이슈 2023.01.17 4901
395 [Impala 3.2버젼]compute incremental stats db명.테이블명 수행시 ERROR: AnalysisException: Incremental stats size estimate exceeds 2000.00MB. 오류 발생원인및 조치방안 2022.11.30 4842
394 [oozie]oozie ssh action으로 패스워드 없이 다른 서버에 ssh로그인 하여 shellscript호출하는 설정하는 방법 2022.11.10 4293
393 kudu의 내부 table명 변경하는 방법 2022.11.10 3807
392 kerberos연동된 CDH 6.3.4에서 default realm값이 잘못된 상태에서 서비스 기동시 오류 2022.10.14 4277
391 [impala]쿼리 수행중 발생하는 오류(due to memory pressure: the memory usage of this transaction, Failed to write to server) 2022.10.05 4256
390 [Kerberos인증] /var/log/krb5kdc.log파일 기준으로 인증요청(AS), 티켓확인(TGS)이 진행되는 로그 기록 2022.09.21 4421
389 Oracle 12c DB의 LOB타입 컬럼이 있는 테이블을 import할 때 주의 할 사항 2022.09.14 4410
388 [kerberos]Kerberos HA구성 참고 페이지 2022.08.31 3321
쓰기 태그
위로