Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
541	spark-shell실행시 "A read-only user or a user in a read-only database is not permitted to disable read-only mode on a connection."오류가 발생하는 경우 해결방법	2016.05.20	627
540	Spark 1.6.1 설치후 HA구성	2016.05.24	731
539	spark-env.sh에서 사용할 수있는 항목.	2016.05.24	859
538	"Initial job has not accepted any resources; check your cluster UI to ensure that workers are registered and have sufficient resources"오류 발생시 조치사항	2016.05.25	1133
537	spark 온라인 책자링크 (제목 : mastering-apache-spark)	2016.05.25	165
536	spark-submit으로 spark application실행하는 다양한 방법	2016.05.25	387
535	RDF storage조합에대한 test결과(4store, Jena+HBase, Hive+HBase, CumulusRDF, Couchbase) 페이지 링크	2016.05.26	276
534	CentOS6에 python3.5.1 소스코드로 빌드하여 설치하기	2016.05.27	439
533	S2RDF 테스트(벤치마크 테스트를 기준으로 python, scala소스가 만들어져서 기능은 파악되지 못함) [2]	2016.05.27	135
532	python실행시 ValueError: zero length field name in format오류 해결방법	2016.05.27	526
531	python 2.6.6에서 print 'A=' 형태의 사용이 python 3.5.1에서 오류(SyntaxError: Missing parentheses in call to 'print') 발생함..	2016.05.27	333
530	DataSetCreator.py 실행시 파일을 찾을 수 없는 오류	2016.05.27	141
529	--master yarn 옵션으로 spark client프로그램 실행할때 메모리 부족 오류발생시 조치방법	2016.05.27	218
528	spark client프로그램 기동시 "Error initializing SparkContext"오류 발생할때 조치사항	2016.05.27	615
527	Job이 끝난 log을 볼수 있도록 설정하기	2016.05.30	660
526	centos에 sbt 0.13.5 설치	2016.05.30	354
525	Scala버젼 변경 혹은 상황에 맞게 Spark소스 컴파일하기	2016.05.31	504
524	"암은 평범한 병, 심호흡만 잘해도 암세포 분열 저지”	2016.06.02	143
523	Windows에서 sbt개발환경 구축 방법(링크)	2016.06.02	178
522	hive 2.0.1 설치및 mariadb로 metastore 설정	2016.06.03	5294

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0