Question

Hi!

I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"

2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.

3. Trojan will run via command: /tmp/java -c /tmp/w.conf.

I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!

Many thank!

Answer 1

@Huy Duong

We've recently sent out a security notification regarding the same.

1. Stop further attacks:

a. Use Firewall / IP table settings to allow access only to whitelisted IP addresses for Resource Manager port (default 8088). Do this on both Resource Managers in your HA setup. This only addresses the current attack. To permanently secure your clusters, all HDP end-points ( e.g WebHDFS) must be blocked from open access outside of firewalls.

b. Make your cluster secure (kerberized).

2. Clean up existing attacks:

a. If you already see the above problem in your clusters, please filter all applications named “MYYARN” and kill them after verifying that these applications are not legitimately submitted by your own users.

b. You will also need to manually login into the cluster machines and check for any process with “z_2.sh” or “/tmp/java” or “/tmp/w.conf” and kill them.

Hortonworks strongly recommends affected customers to involve their internal security team to find out the extent of damage and lateral movement inside network. The affected customers will need to do a clean secure installation after backup and ensure that data is not contaminated.

Answer 2

Thanks Sandeep!

I have use firewall block port for yarn resource (8088)!. And all yarn application from user dr.who has gone!

번호	제목	날짜	조회 수
541	SASL configuration failed: javax.security.auth.login.LoginException: java.lang.NullPointerException 오류 해결방법	2015.04.02	798
540	우분투에서 패키지 설치시 E: Sub-process /usr/bin/dpkg returned an error code 발생시 조치	2017.05.02	794
539	hortonworks에서 제공하는 메모리 설정값 계산기 사용법	2015.06.14	785
538	hue.desktop_document2의 type의 종류	2020.02.10	776
537	lateral view 예제	2014.09.18	773
536	solr 인스턴스 기동후 shard에 서버가 정상적으로 할당되지 않는 경우 해결책	2016.04.29	769
535	[Sentry]HDFS의 ACL을 Sentry와 연동후 테스트	2020.06.02	762
534	sendmail전송시 421 4.3.0 collect: Cannot write ./dfv5BA2EBS010579 (bfcommit, uid=0, gid=114): No such file or directory 발생시 조치사항	2017.06.11	755
533	서버 5대에 solr 5.5.0 설치하고 index data를 HDFS에 저장/search하도록 설치/설정하는 방법(SolrCloud)	2016.04.08	747
532	CentOS 7.x에 Jupyter설치	2018.04.18	745
531	fuseki용 config-examples.ttl 예시 내용	2017.05.17	745
530	java.lang.OutOfMemoryError: unable to create new native thread오류 발생지 조치사항	2016.10.17	742
529	znode /hbase recursive하게 지우기	2015.05.06	739
528	Halyard - RDF4J와 Apache HBase를 이용하여 구현된 TripleStore이며 SPARQL 1.1쿼리를 지원한다.	2016.12.29	733
527	[SBT] assembly시 "[error] deduplicate: different file contents found in the following:"오류 발생시 조치사항	2016.08.04	730
526	solr에서 한글사용시 주의점	2014.09.26	728
525	springframework를 이용한 war를 생성하는 build.gradle파일(참고용)	2016.08.19	727
524	Spark 1.6.1 설치후 HA구성	2016.05.24	725
523	Flume을 이용한 데이타 수집시 HBase write 성능 튜닝	2016.10.31	724
522	lubuntu 호스트 네임변경	2014.08.03	721

Cloudera, BigData, Semantic IoT, Hadoop, NoSQL

Cloudera CDH/CDP 및 Hadoop EcoSystem, Semantic IoT등의 개발/운영 기술을 정리합니다. gooper@gooper.com로 문의 주세요.

Cloudera CDH/CDP dr.who로 공격들어오는 경우 조치방법

HDP 2.6.1 Virus CrytalMiner (dr.who)

2 Replies

댓글 0