Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
21	checking for termcap functions library... configure: error: No curses/termcap library found	2013.03.08	4189
20	sqoop작업시 hdfs의 개수보다 더많은 값이 중복되어 oracle에 입력되는 경우가 있음	2014.09.02	4214
19	import 혹은 export할때 hive파일의 default 구분자는 --input-fields-terminated-by "x01"와 같이 지정해야함	2014.05.20	4346
18	.git폴더를 삭제하고 다시 git에 추가하고 서버에 반영하는 방법	2017.06.19	4552
17	[gson]mongodb의 api를 이용하여 데이타를 가져올때 "com.google.gson.stream.MalformedJsonException: Unterminated object at line..." 오류발생시 조치사항	2017.12.11	4808
16	Spark에서 Serializable관련 오류및 조치사항	2017.04.21	5030
15	hive 2.0.1 설치및 mariadb로 metastore 설정	2016.06.03	5295
14	Ubuntu 16.04LTS 설치후 초기에 주어야 하는 작업(php, apache, mariadb설치및 OS보안설정등)	2017.05.23	5636
13	하둡 분산 파일 시스템을 기반으로 색인하고 검색하기	2013.03.15	5690
»	dr.who로 공격들어오는 경우 조치방법	2018.06.09	5713
11	HBase shell로 작업하기	2013.03.15	5926
10	cumulusRDF 1.0.1설치및 "KeyspaceCumulus" keyspace확인하기	2016.04.15	5945
9	[Decommission]시 시간이 많이 걸리면서(수일) Decommission이 완료되지 않는 경우 조치	2018.01.03	6062
8	[DataNode]org.apache.hadoop.security.KerberosAuthException: failure to login: for principal: hdfs/datanode03@GOOPER.COM from keytab hdfs.keytab오류	2023.04.18	6135
7	insert hbase by hive ... error occured after 5 hours..HMaster가 뜨지 않는 장애에 대한 복구 방법	2014.04.29	7249
6	Resource temporarily unavailable(자원이 일시적으로 사용 불가능함) 오류조치	2015.11.19	7708
5	drop table로 삭제했으나 tablet server에는 여전히 존재하는 테이블 삭제방법	2021.07.09	7943
4	Hive Query Examples from test code (2 of 2)	2014.03.26	11466
3	org.apache.hadoop.hdfs.server.common.InconsistentFSStateException: Directory /tmp/hadoop-root/dfs/name is in an inconsistent state: storage directory does not exist or is not accessible.	2013.03.11	14838
2	mapreduce appliction을 실행시 "is running beyond virtual memory limits" 오류 발생시 조치사항	2017.05.04	17061

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0