Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
570	[Active Directory] AD Kerberos보안 설정 변경 방법 (Maximum lifetime for user ticket, Maximum lifetime for user ticket renewal)	2024.03.12	4520
569	[CDP7.1.7][Replication]Table does not match version in getMetastore(). Table view original text mismatch	2024.01.02	4518
568	avro 사용하기(avsc 스키마 파일 컴파일 방법, consumer, producer샘플소스)	2016.07.08	4518
567	resouce manager에 dr.who가 아닌 다른 사용자로 로그인 하기	2018.06.28	4517
566	[Atlas Server]org.apache.hadoop.hbase.security.AccessDeniedException: Insufficient permissions (user=atlas/node01.gooper.com@GOOPER.COM, scope=default:atlas_janus, params=[table=default:atlas_janus,], action-CREATE)]	2023.05.15	4516
565	원격 리포지토리에서 최초 clone시 Permission denied (publickey). 오류발생시 조치사항	2017.06.20	4516
564	[Kudu] tablet server 혹은 kudu master가 어떤 원인에 의해서 replica가 failed상태인 경우 복구하는 방법	2021.05.24	4508
563	impala 설치/설정	2016.06.03	4505
562	How to Install Magento 2.4.7 on Ubuntu 24.04	2024.09.04	4502
561	우분투에서 패키지 설치시 E: Sub-process /usr/bin/dpkg returned an error code 발생시 조치	2017.05.02	4502
560	Jena 2.3를 Hadoop 2.7.2의 NFS로 mount하고 fuseki를 이용하여 start할때 오류 메세지	2016.12.02	4497
559	Nodes of the cluster (unhealthy)중 1/1 log-dirs are bad: 오류 해결방법	2015.05.17	4497
558	CM의 Impala->Query tab에서 FINISHED query가 보이지 않는 현상	2021.08.31	4494
557	sqoop export/import등을 할때 driver를 못찾는 오류가 발생하면...	2014.05.15	4489
556	[SBT] assembly시 "[error] deduplicate: different file contents found in the following:"오류 발생시 조치사항	2016.08.04	4488
555	index생성, 삭제, 활용	2014.04.25	4488
554	hue.desktop_document2의 type의 종류	2020.02.10	4483
553	클러스터내의 전체 workflow및 coordinator현황을 사용자별로 추출하는 방법	2021.11.25	4479
552	postgresql-9.4에서 FATAL: remaining connection slots are reserved for non-replication superuser connections가 나올때 조치	2018.08.16	4479
551	ExWordCount jar파일	2013.03.06	4475

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0