Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	글쓴이	날짜	조회 수
659	주문 생성 데이터 예시	총관리자	2022.04.30	11
658	restaurant-controller,에서 등록 예시	총관리자	2022.04.30	33
657	Could not authenticate, GSSException: No valid credentials provided (Mechanism level: Failed to find any kerberos tgt)	총관리자	2022.04.28	27
656	[oracle]10자리 timestamp값을 날짜로 변환하는 방법	총관리자	2022.04.14	41
655	[hive] hive.tbls테이블의 owner컬럼값은 hadoop.security.auth_to_local에 의해서 filtering된다.	총관리자	2022.04.14	55
654	collection생성혹은 collection조회시 Plugin init failure for [schema.xml] fieldType "pdate": Error loading class 'solr.IntField' 오류 조치사항	총관리자	2022.04.07	107
653	hue메타 정보를 저장(oracle DB)하는 내부 테이블을 이용하여 전체 테이블목록, 전체 코디네이터 목록, 코디네이터기준 workflow구조를 추출하는 쿼리문	총관리자	2022.04.01	48
652	HDFS에서 quota 설정 방법및 확인 방법	총관리자	2022.03.30	55
651	[oozie]Oozie WF수행시 단계별 ID넘버링 비교/설명	총관리자	2022.03.23	16
650	[application수행 로그]Failed to read the application application_123456789012_123456시 조치 방법	총관리자	2022.03.21	46
649	Hue impala에서 query결과를 HDFS 파일로 export시 AuthorizationException: User 'gooper1234' does not have privileges to access: db명.query_impala_123456	총관리자	2022.03.17	214
648	[TLS]pkcs12형식의 인증서 생성및 jks형식 인증서 생성 커맨드 예시	총관리자	2022.03.15	121
647	[TLS]TLS용 사설 인증서 변경 혹은 신규 지정시 No trusted certificate found 오류 발생시 확인및 조치사항	총관리자	2022.03.15	60
646	[CentOS 7.4]Hadoop NFS gateway기동시 Cannot connect to port 2049 오류 발생시 확인/조치	총관리자	2022.03.02	74
645	Oracle RAC 구성된 DB서버에 대한 컴포넌트별 설정 방법	총관리자	2022.02.12	27
644	service name방식의 oracle을 메타정보 저장소로 사용할때 Hue Configuration설정하는 방법	총관리자	2022.02.12	15
643	oracle 접속 방식에 따른 --connect 지정 방법	총관리자	2022.02.11	24
642	[vue storefrontui]외부 API통합하기 참고 문서	총관리자	2022.02.09	7
641	vuestorefrontui.io를 이용한 front end project 생성하기	총관리자	2022.02.06	23
640	eclipse editor 설정방법	총관리자	2022.02.01	9

Bigdata, Semantic IoT, Hadoop, NoSQL

Bigdata, Hadoop ecosystem, Semantic IoT등의 프로젝트를 진행중에 습득한 내용을 정리하는 곳입니다.
필요한 분을 위해서 공개하고 있습니다. 문의사항은 gooper@gooper.com로 메일을 보내주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0

A personal place to organize information learned during the development of such Hadoop, Hive, Hbase, Semantic IoT, etc.
We are open to the required minutes. Please send inquiries to gooper@gooper.com.