Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
670	kafka-manager 1.3.3.4 설정및 실행하기	2017.03.20	4976
669	scan의 startrow, stoprow지정하는 방법	2015.04.08	4972
668	[oozie]Oozie WF수행시 단계별 ID넘버링 비교/설명	2022.03.23	4968
667	oozie의 meta정보를 mysql에서 관리하기	2014.05.26	4967
666	hadoop설치시 오류	2013.12.18	4964
665	W/F수행후 Logs not available for 1. Aggregation may not to complete. 표시되며 로그내용이 보이지 않은 경우	2020.05.08	4961
664	hbase shell에서 컬럼값 검색하기(SingleColumnValueFilter이용)	2014.04.25	4961
663	Spark 2.1.1 clustering(5대) 설치(YARN기반)	2016.04.22	4959
662	db를 통째로 새로운 이름의 db로 복사하는 방법/절차	2017.11.14	4941
661	메이븐 (maven) 설치 및 이클립스 연동하기	2013.03.06	4941
660	[CDP7.1.7]BDR작업후 오류로 Diagnostic Data를 수집하는 동안 "No content to map due to end-of-input at [Source: (String)""; line: 1, column: 0]" 오류 발생시 조치	2024.02.20	4932
659	TLS/SSl설정시 방법및 참고 사항	2021.10.08	4925
658	Mysql DB 생성 및 권한. 특정아이피, 대역에 대한 접근 허용	2017.05.04	4907
657	갑자기 DataNode가 java.io.IOException: Premature EOF from inputStream를 반복적으로 발생시키다가 java.lang.OutOfMemoryError: Java heap space를 내면서 죽는 경우 조치방법	2017.07.19	4903
656	VisualVM 1.3.9을 이용한 spark-submit JVM 모니터링을 위한 설정및 spark-submit실행 옵션	2016.10.28	4903
655	[보안/인증]javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target발생 원인/조치내용	2023.10.24	4902
654	[HA구성 이슈]oozie 2대를 L4로 HA구성했을때 발생하는 이슈	2023.01.17	4901
653	Cacti로 Hadoop 모니터링 하기	2013.03.12	4901
652	oozie에서 share lib설정시 action type별로 구분하여 넣을것	2014.04.18	4899
651	Kudu tablet이 FAILED일때 원인 확인 방법	2022.01.17	4892

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0