Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
670	SPARQL의 유형, SPARQL 만들기등에 대한 설명	2016.02.18	2768
669	[Kerberos]Kerberos authentication cache를 FILE로 지정해도 KCM으로 저장되는 경우 조치방법	2024.11.03	2768
668	jdk 9이상 사용하려면 repository를 아래와 같이 지정해야한다.	2019.06.02	2770
667	magento2 설치후 초기화면이 깨지는 문제	2017.01.31	2774
666	에러 추적(Error Tracking) 및 로그 취합(logging aggregation) 시스템인 Sentry 설치	2018.03.14	2778
665	java.lang.IllegalArgumentException: Does not contain a valid host:port authority: master 오류해결방법	2015.05.06	2779
664	webid에서 google처럼 검색할 수 있도록 하는 프로그램	2017.05.16	2782
663	Spark에서 KafkaUtils.createStream()를 이용하여 이용하여 kafka topic에 접근하여 객채로 저장된 값을 가져오고 처리하는 예제 소스	2017.04.26	2802
662	슬라이딩 윈도우 예제	2016.07.28	2803
661	파일명 혹은 확장자 일괄 변경하는 방법	2017.01.26	2810
660	"암은 평범한 병, 심호흡만 잘해도 암세포 분열 저지”	2016.06.02	2813
659	springframework를 이용한 war를 생성하는 build.gradle파일(참고용)	2016.08.19	2818
658	uEnv.txt위치및 내용	2014.07.09	2826
657	git설명 한글판	2015.12.09	2827
656	failed to read local state, exiting...오류발생시 조치사항	2016.04.06	2831
655	servlet-api를 jar형태로 build할때 포함하지 말고 java 설치 위치의 jre/lib/ext에 복사하여 사용하는것이 좋다.	2016.08.10	2838
654	How-to: Build a Complex Event Processing App on Apache Spark and Drools	2016.10.31	2849
653	namenode오류 복구시 사용하는 명령	2016.04.01	2851
652	다중 모듈 프로젝트 설정에 대한 설명	2016.09.21	2851
651	[Hue metadata]Oracle에 있는 Hue 메타정보 테이블을 이용하여 coordinator와 workflow관계 목록을 추출하는 방법	2023.08.22	2860

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0