Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
750	[Shellscript]Impala view의 실제 참조 테이블 추출용 shellscript파일	2025.03.22	1003
749	엑셀에서 K ,M, G ,T 단위를 숫자로 변환 하는 수식	2025.04.09	1264
748	beeline을 이용한 impala JDBC 테스트 방법(Kerberos 설정된 상태임)	2024.11.29	1542
747	외부에서 ImpalaJDBC42.jar를 통해서 Impala에 접속시 sessions정보	2024.11.26	1626
746	test333	2017.05.01	1834
745	http://blog.naver.com...	2017.06.23	1839
744	Failed to resolve 'acme-v02.api.letsencrypt.org' ([Errno -3] Temporary failure in name resolution)"	2024.11.27	1918
743	eclipse 3.1 단축키 정리파일	2017.01.02	2058
742	5건의 triple data를 이용하여 특정 작업 폴더에서 작업하는 방법/절차	2016.06.16	2079
741	[vi] test.nq파일에서 특정문자열(예, <>)을 찾아서 포함되는 라인을 삭제한 동일한 이름의 파일을 만드는 방법	2017.01.25	2079
740	Windows에서 sbt개발환경 구축 방법(링크)	2016.06.02	2087
739	[EncryptionZone]User:testuser not allowed to do "DECRYPT_EEK" on 'testkey'	2023.06.29	2097
738	외부 jar파일을 만들려고하는jar파일의 package로 포함하는 방법	2016.08.10	2105
737	java스레드 덤프 분석하기	2016.11.03	2114
736	restaurant-controller,에서 등록 예시	2022.04.30	2124
735	DataSetCreator.py 실행시 파일을 찾을 수 없는 오류	2016.05.27	2129
734	실시간 쿼리 변환 모니터링(팩트내 필드값의 변경사항을 실시간으로 추적함)하는 테스트 java 프로그램	2016.07.21	2129
733	[oracle]10자리 timestamp값을 날짜로 변환하는 방법	2022.04.14	2164
732	하둡기반 데이타 모델링(6편)	2018.06.27	2178
731	[메모리 덤프파일 분석]	2017.03.31	2242

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0