Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
610	missing block및 관련 파일명 찾는 명령어	2021.02.20	4569
609	lombok설치방법	2020.06.20	2606
608	[sap] Error: java.io.IOException: SQLException in nextKeyValue 오류 발생	2020.06.08	4251
607	[kudu]테이블 drop이 안되고 timeout이 걸리는 경우 조치 방법	2020.06.08	4456
606	[oozie] oozie shell action에서 shellscript수행결과의 2개 변수를 decision 액션에서 사용하기	2020.06.05	3798
605	[Sentry]HDFS의 ACL을 Sentry와 연동후 테스트	2020.06.02	4133
604	[sqoop] mapper를 2이상으로 설정하기 위한 split-by컬럼을 찾을때 유용하게 활용할 수 있는 쿼리	2020.05.13	4675
603	mysql sqoop작업을 위해서 mysql-connector-java.jar을 추가하는 경우 확실하게 인식시키는 방법	2020.05.11	3752
602	W/F수행후 Logs not available for 1. Aggregation may not to complete. 표시되며 로그내용이 보이지 않은 경우	2020.05.08	4971
601	A Cluster의 HDFS 디렉토리및 파일을 사용자및 권한 유지 하여 다운 받아서 B Cluster에 넣기	2020.05.06	4099
600	impala external 테이블 생성시 컬럼과 라인 구분자를 지정하여 테이블 생성하는 예시	2020.02.20	3855
599	[Kerberos]Kerberos상태의 클러스터에 JDBC로 접근할때 케이스별 오류내용	2020.02.14	7072
598	cloudera서비스 중지및 기동순서	2020.02.14	4271
597	impala테이블 쿼리시 max_row_size 관련 오류가 발생할때 조치사항	2020.02.12	3906
596	hue.axes_accessattempt테이블 데이터 샘플	2020.02.10	4316
595	hue.desktop_document2의 type의 종류	2020.02.10	4488
594	hue db에서 사용자가 가지는 정보 확인	2020.02.10	5108
593	Cloudera의 CMS각 컴포넌트의 역할	2020.02.10	4393
592	Namenode Metadata백업하는 방법	2020.02.10	3890
591	cloudera의 hue에서 사용자가 사용한 쿼리 목록	2020.02.07	3724

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0