Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
741	VirtualBox에 ubuntu 설치 하기 (12.10)	2013.03.04	1944
740	우분투 root 패스워드 설정하기	2013.03.04	1394
739	메이븐 (maven) 설치 및 이클립스 연동하기	2013.03.06	2489
738	Hadoop 설치 및 시작하기	2013.03.06	2076
737	Hadoop wordcount 소스 작성	2013.03.06	2066
736	이클립스에서 생성한 jar 파일 hadoop 으로 실행하기	2013.03.06	3015
735	ExWordCount jar파일	2013.03.06	1560
734	Hadoop Cluster 설치 (Hadoop+Zookeeper+Hbase)	2013.03.07	4063
733	Hive+mysql 설치 및 환경구축하기	2013.03.07	2799
732	Hive 사용법 및 쿼리 샘플코드	2013.03.07	3081
731	hadoop 설치(3대)	2013.03.07	2688
730	hadoop설치시 참고사항	2013.03.08	2293
729	MySQL 다운로드 및 리눅스에서 간단 컴파일 설치	2013.03.08	1950
728	checking for termcap functions library... configure: error: No curses/termcap library found	2013.03.08	4187
727	../depcomp: line 512 exec : g++ : not found	2013.03.08	2145
726	org.apache.hadoop.hdfs.server.common.InconsistentFSStateException: Directory /tmp/hadoop-root/dfs/name is in an inconsistent state: storage directory does not exist or is not accessible.	2013.03.11	14837
725	HBase 설치하기 – Pseudo-distributed	2013.03.12	2819
724	HBase 설치하기 – Fully-distributed	2013.03.12	3792
723	Cacti로 Hadoop 모니터링 하기	2013.03.12	2504
722	org.apache.hadoop.hbase.PleaseHoldException: Master is initializing	2013.03.15	2876

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0