메뉴 건너뛰기

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.


*출처 : https://community.hortonworks.com/questions/191898/hdp-261-virus-crytalminer-drwho.html


HDP 2.6.1 Virus CrytalMiner (dr.who)

Question by Huy Duong May 16 at 01:00 PM hdp-2.6.0hdp-2.6.1

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

virus.png (70.3 kB)
avatar image
BEST ANSWER

Answer by Sandeep Nemuri  

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

 4 · Share
avatar image

Answer by Huy Duong 

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

 0 · Share
번호 제목 날짜 조회 수
670 "bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')])" 오류는 CA인증을 하지 못해서 발생함 2022.05.13 3992
669 [TLS/SSL]Kudu Tablet Server설정 2022.05.13 4208
668 [TLS/SSL]Kudu Master 설정하기 2022.05.13 4292
667 [TLS/SSL]Cloudera 6.3.4기준 Oozie Web UI TLS설정 항목및 설정값 2022.05.13 4195
666 [TLS/SSL]Cloudera CDH6.3.4기준 Hue TLS설정 항목 2022.05.13 4656
665 [HIVESERVER2]프로세스의 thread및 stack trace를 덤프하는 방법(pstack, jstack) 2022.05.11 4069
664 [Hue]Hue의 메타정보를 담고 있는 desktop_document테이블과 desktop_document2의 관계 2022.05.09 4529
663 Error: IO_ERROR : java.io.IOException: Error while connecting Oozie server 2022.05.02 4618
662 oozie webui접근시 id/pw를 물어보는 Windows보안 팝업창이 뜰때 확인/조치방법 2022.05.02 4588
661 [개발] 온라인 IDE - 개발 환경 구축 없어 어디서나 웹브라우저로 개발하기 2022.05.02 4105
660 [bitbucket] 2022년 3월 2일 부터 git 작업시 기존에 사용하던 비빌번호를 사용할 수 없도록 변경되었다. 2022.04.30 4241
659 주문히스토리 조회 2022.04.30 2617
658 주문 생성 데이터 예시 2022.04.30 2329
657 restaurant-controller,에서 등록 예시 2022.04.30 2124
656 Could not authenticate, GSSException: No valid credentials provided (Mechanism level: Failed to find any kerberos tgt) 2022.04.28 4256
655 [oracle]10자리 timestamp값을 날짜로 변환하는 방법 2022.04.14 2164
654 [hive] hive.tbls테이블의 owner컬럼값은 hadoop.security.auth_to_local에 의해서 filtering된다. 2022.04.14 3250
653 collection생성혹은 collection조회시 Plugin init failure for [schema.xml] fieldType "pdate": Error loading class 'solr.IntField' 오류 조치사항 2022.04.07 3441
652 hue메타 정보를 저장(oracle DB)하는 내부 테이블을 이용하여 전체 테이블목록, 전체 코디네이터 목록, 코디네이터기준 workflow구조를 추출하는 쿼리문 2022.04.01 3153
651 HDFS에서 quota 설정 방법및 확인 방법 2022.03.30 4107
위로