메뉴 건너뛰기

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.


*출처 : https://community.hortonworks.com/questions/191898/hdp-261-virus-crytalminer-drwho.html


HDP 2.6.1 Virus CrytalMiner (dr.who)

Question by Huy Duong May 16 at 01:00 PM hdp-2.6.0hdp-2.6.1

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

virus.png (70.3 kB)
avatar image
BEST ANSWER

Answer by Sandeep Nemuri  

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

 4 · Share
avatar image

Answer by Huy Duong 

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

 0 · Share
번호 제목 날짜 조회 수
610 missing block및 관련 파일명 찾는 명령어 2021.02.20 4568
609 lombok설치방법 2020.06.20 2604
608 [sap] Error: java.io.IOException: SQLException in nextKeyValue 오류 발생 2020.06.08 4247
607 [kudu]테이블 drop이 안되고 timeout이 걸리는 경우 조치 방법 2020.06.08 4205
606 [oozie] oozie shell action에서 shellscript수행결과의 2개 변수를 decision 액션에서 사용하기 2020.06.05 3793
605 [Sentry]HDFS의 ACL을 Sentry와 연동후 테스트 2020.06.02 4132
604 [sqoop] mapper를 2이상으로 설정하기 위한 split-by컬럼을 찾을때 유용하게 활용할 수 있는 쿼리 2020.05.13 4670
603 mysql sqoop작업을 위해서 mysql-connector-java.jar을 추가하는 경우 확실하게 인식시키는 방법 2020.05.11 3750
602 W/F수행후 Logs not available for 1. Aggregation may not to complete. 표시되며 로그내용이 보이지 않은 경우 2020.05.08 4968
601 A Cluster의 HDFS 디렉토리및 파일을 사용자및 권한 유지 하여 다운 받아서 B Cluster에 넣기 2020.05.06 3942
600 impala external 테이블 생성시 컬럼과 라인 구분자를 지정하여 테이블 생성하는 예시 2020.02.20 3852
599 [Kerberos]Kerberos상태의 클러스터에 JDBC로 접근할때 케이스별 오류내용 2020.02.14 7066
598 cloudera서비스 중지및 기동순서 2020.02.14 4266
597 impala테이블 쿼리시 max_row_size 관련 오류가 발생할때 조치사항 2020.02.12 3856
596 hue.axes_accessattempt테이블 데이터 샘플 2020.02.10 4313
595 hue.desktop_document2의 type의 종류 2020.02.10 4485
594 hue db에서 사용자가 가지는 정보 확인 2020.02.10 5106
593 Cloudera의 CMS각 컴포넌트의 역할 2020.02.10 4392
592 Namenode Metadata백업하는 방법 2020.02.10 3888
591 cloudera의 hue에서 사용자가 사용한 쿼리 목록 2020.02.07 3721
위로