
Xbash hits a vulnerable server
“If Xbash hits a vulnerable server, and can infect it, it first wipes the host's databases”
How does Xbash initially infect the server and could we have a link to the actual Xbash source code?
Hadoop databases haven't been getting much interest from hackers so far, compared to other data silos, but that's changing, according to a new study. Security shop Securonix, reports that its research team has seen a sharp rise in attacks targeting known vulnerabilities in Hadoop components such as Hadoop YARN, Redis, and …
The means of infection are given in the article and linked-to post: Xbash uses three known vulnerabilities in Hadoop, Redis and ActiveMQ to hijack a machine and propagate.
* Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
* Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned.
* ActiveMQ arbitrary file write vulnerability, CVE-2016-3088
The source is apparently here - caveat emptor:
https://github.com/h3ct0rjs/XBash-malware-files
C.
This is one reason to keep Hadoop in the DC and not on the cloud.
Not that you can't run in the cloud, but you need to take more precautions.
If set up correctly, Hadoop can be fairly secure.
At the same time... most Hadoop clusters are isolated and deep within the enterprise.
Unless of course you're running on the cloud. Then YMMV depending on which cloud provider and how careful your entire staff is...
Biting the hand that feeds IT © 1998–2022