Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	글쓴이	날짜	조회 수
660	access=WRITE, inode="staging":ubuntu:supergroup:rwxr-xr-x 오류	총관리자	2014.07.05	1719
659	index생성, 삭제, 활용	총관리자	2014.04.25	1702
658	List<Map<String, String>>형태의 데이타에서 중복제거 하는 방법	총관리자	2016.12.23	1691
657	갑자기 DataNode가 java.io.IOException: Premature EOF from inputStream를 반복적으로 발생시키다가 java.lang.OutOfMemoryError: Java heap space를 내면서 죽는 경우 조치방법	총관리자	2017.07.19	1677
656	hue db에서 사용자가 가지는 정보 확인	총관리자	2020.02.10	1644
655	Cloudera Manager설치및 Uninstall 방법(순서)	총관리자	2018.05.28	1642
654	impald에서 idle_query_timeout 와 idle_session_timeout 구분	총관리자	2021.05.20	1630
653	centos 5.X에 hadoop 2.0.5 alpha 설치	총관리자	2013.12.16	1581
652	Jena 2.3를 Hadoop 2.7.2의 NFS로 mount하고 fuseki를 이용하여 start할때 오류 메세지	총관리자	2016.12.02	1557
651	sqoop에서 oracle관련 작업할때 테이블명, 사용자명, DB명은 모두 대문자로 사용할것	총관리자	2014.05.15	1528
650	physical memory used되면서 mapper가 kill되는 경우 오류 발생시 조치	총관리자	2018.09.20	1522
649	FAILED: IllegalStateException Variable substitution depth too large: 40 오류발생시 조치사항	총관리자	2014.08.19	1521
648	Journal Storage Directory /data/hadoop/journal/data/mycluster not formatted 오류시 조치사항	총관리자	2016.07.29	1518
647	centsOS vsftpd설치하기	총관리자	2013.12.17	1515
646	jsoup 사용 예제	총관리자	2014.06.06	1506
645	hiverserver2기동시 connection refused가 발생하는 경우 조치방법	총관리자	2014.05.22	1471
644	oozie의 meta정보를 mysql에서 관리하기	총관리자	2014.05.26	1466
643	마이바티스(MyBatis)쿼리로그 출력및 정렬하기	총관리자	2015.12.01	1450
642	apt-get install mysql-server수행시 "404 Not Found" 오류발생시 조치방법	총관리자	2014.09.10	1450
641	우분투 16.04 LTS에 apache2와 tomcat7 연동하여 설치하기	총관리자	2014.05.09	1429

Bigdata, Semantic IoT, Hadoop, NoSQL

Bigdata, Hadoop ecosystem, Semantic IoT등의 프로젝트를 진행중에 습득한 내용을 정리하는 곳입니다.
필요한 분을 위해서 공개하고 있습니다. 문의사항은 gooper@gooper.com로 메일을 보내주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0

A personal place to organize information learned during the development of such Hadoop, Hive, Hbase, Semantic IoT, etc.
We are open to the required minutes. Please send inquiries to gooper@gooper.com.