Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
690	DataSetCreator실행시 "Illegal character in fragment at index"오류가 나는 경우 조치방안	2016.06.17	2633
689	AIX 7.1에 Hadoop설치(정리중#2)	2016.09.20	2634
688	Github를 이용하는 전체 흐름 이해하기	2016.11.18	2641
687	windows 혹은 mac에서 docker설치하기 위한 파일	2017.10.13	2646
686	Runtime.getRuntime().exec(cmd) sample 소스	2015.11.19	2648
685	Oracle 10g 혹은 12c 를 19c로 Upgrade시 Cloudera Cluster작업에 필요한 작업	2025.01.12	2661
684	Core with name 'xx_shard4_replica1' already exists. 발생시 조치사항	2017.07.22	2667
683	S2RDF를 실행부분만 추출하여 1건의 triple data를 HDFS에 등록, sparql을 sql로 변환, sql실행하는 방법및 S2RDF소스 컴파일 방법	2016.06.15	2669
682	[MemoryLeak분석]다수의 MongoCleaner 쓰레드가 Sleep상태에 있으면서 Full GC가 계속 발생되는 문제 해결방법	2017.01.11	2674
681	딥러닝 수학/알고리즘 '한국어' 강의	2016.04.10	2684
680	TopBraid Composer에서 SPIN 사용법	2016.02.25	2688
679	lagom의 online-auction-java프로젝트 실행시 "Could not find Cassandra contact points, due to: ServiceLocator is not bound" 경고 발생시 조치사항	2017.10.12	2695
678	HBase write 성능 튜닝	2017.07.18	2703
677	HA(Namenode, ResourceManager, Kerberos) 및 보안(Zookeeper, Hadoop)	2018.03.16	2707
676	파일은 남겨두고 파일 내용만 지우고자 할 때.	2017.08.30	2709
675	centos 6에서 mariadb 5.1 to 10.0 으로 upgrade	2016.11.01	2719
674	down된 broker로 메세지를 전송하려는 경우의 오류 내용및 조치사항	2016.08.12	2732
673	[CDP7.1.7, Replication]Encryption Zone내 HDFS파일을 비Encryption Zone으로 HDFS Replication시 User hdfs가 아닌 hadoop으로 수행하는 방법	2024.01.15	2736
672	halyard 1.3의 rdf4j-server.war와 rdf4j-workbench.war를 tomcat deploy후 조회시 java.lang.NoClassDefFoundError: org/apache/hadoop/hbase/Cell발생시 조치사항	2017.07.05	2744
671	HDFS상의 /tmp폴더에 Permission denied오류가 발생시 조치사항	2017.01.25	2763

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0