Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
440	bananapi 5대(ubuntu계열 리눅스)에 yarn(hadoop 2.6.0)설치하기-ResourceManager HA/HDFS HA포함, JobHistory포함	2015.04.24	19290
439	mapreduce appliction을 실행시 "is running beyond virtual memory limits" 오류 발생시 조치사항	2017.05.04	17060
438	org.apache.hadoop.hdfs.server.common.InconsistentFSStateException: Directory /tmp/hadoop-root/dfs/name is in an inconsistent state: storage directory does not exist or is not accessible.	2013.03.11	14837
437	Hive Query Examples from test code (2 of 2)	2014.03.26	11466
436	drop table로 삭제했으나 tablet server에는 여전히 존재하는 테이블 삭제방법	2021.07.09	7941
435	insert hbase by hive ... error occured after 5 hours..HMaster가 뜨지 않는 장애에 대한 복구 방법	2014.04.29	7244
434	[DataNode]org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: hdfs/datanode03@GOOPER.COM from keytab hdfs.keytab오류	2023.04.18	6132
433	[Decommission]시 시간이 많이 걸리면서(수일) Decommission이 완료되지 않는 경우 조치	2018.01.03	6059
432	HBase shell로 작업하기	2013.03.15	5924
»	dr.who로 공격들어오는 경우 조치방법	2018.06.09	5712
430	하둡 분산 파일 시스템을 기반으로 색인하고 검색하기	2013.03.15	5688
429	hive 2.0.1 설치및 mariadb로 metastore 설정	2016.06.03	5294
428	Spark에서 Serializable관련 오류및 조치사항	2017.04.21	5029
427	import 혹은 export할때 hive파일의 default 구분자는 --input-fields-terminated-by "x01"와 같이 지정해야함	2014.05.20	4345
426	sqoop작업시 hdfs의 개수보다 더많은 값이 중복되어 oracle에 입력되는 경우가 있음	2014.09.02	4213
425	다수의 로그 에이전트로 부터 로그를 받아 각각의 파일로 저장하는 방법(interceptor및 multiplexing)	2014.04.04	4158
424	Last transaction was partial에 따른 Unable to load database on disk오류 발생시 조치사항	2018.08.03	4099
423	Hadoop Cluster 설치 (Hadoop+Zookeeper+Hbase)	2013.03.07	4063
422	hadoop 2.6.0 기동(에코시스템 포함)및 wordcount 어플리케이션을 이용한 테스트	2015.05.05	3845
421	HBase 설치하기 – Fully-distributed	2013.03.12	3792

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0