HIGH: Accessible Hadoop Report

DESCRIPTION LAST UPDATED: 2023-12-12

DEFAULT SEVERITY LEVEL: HIGH

This report identifies hosts that are running Hadoop and have either the NameNode or DataNode web interfaces running and accessible to the world on the Internet.

At a minimum, this can allow for information-gathering against the target organization.

In other instances, it may allow a threat actor to manipulate the Hadoop instance.

Severity levels are described here.

Track exposed Hadoop instances on our Dashboard.

For more information on our scanning efforts, check out our Internet scanning summary page.

Fields

  • timestamp
    Time that the IP was probed in UTC+0
  • severity
    Severity level
  • ip
    The IP address of the device in question
  • protocol
    Protocol that the response came on (always TCP)
  • port
    Port that the response came from (50070/TCP or 50075/TCP)
  • hostname
    Reverse DNS name of the device in question
  • version
    Running version of Hadoop
  • tag
    Will always be hadoop
  • asn
    ASN of where the device in question resides
  • geo
    Country where the device in question resides
  • region
    State / Province / Administrative region where the device in question resides
  • city
    City in which the device in question resides
  • naics
    North American Industry Classification System Code
  • hostname_source
    Hostname source
  • server_type
    The type of service that responded; this value is either "namenode" (response to probe on port 50070/TCP) or "datanode" (response to probe on port 50075/TCP); fields that contain data from only one type of response are denoted with either "namenode" or "datanode"
  • clusterid
    Unique ID of the cluster
  • total_disk
    The total amount of disk space available to Hadoop (in bytes) (namenode responses only)
  • used_disk
    The amount of disk space used by Hadoop (in bytes) (namenode responses only)
  • free_disk
    The amount of disk space free to Hadoop (in bytes) (namenode responses only)
  • livenodes
    The first live datanode name listed in the response (namenode responses only)
  • namenodeaddress
    Trivial hostname of the NameNode that the DataNode is associated with (datanode responses only)
  • volumeinfo
    The path that the hadoop data is stored in (datanode responses only)
  • sector
    Sector the device belongs to

Sample

"timestamp","severity","ip","protocol","port","hostname","version","asn","geo","region","city","naics","hostname_source","server_type","clusterid","total_disk","used_disk","free_disk","livenodes","namenodeaddress","volumeinfo","sector"
"2010-02-10 00:00:00",high,192.168.0.1,tcp,50070,node01.example.com,"2.8.2, r66c47f2a01ad9637879e95f80c41f798373828fb",64512,ZZ,Region,City,0,ptr,namenode,CID-840e2350-6b26-4be3-8d8a-57d8b6967ba3,84280803328,57344,60484067328,node01.example.com,,,
"2010-02-10 00:00:01",high,192.168.0.2,tcp,50070,node02.example.com,"3.2.3, rabe5358143720085498613d399be3bbf01e0f131",64512,ZZ,Region,City,0,ptr,namenode,CID-de1c595a-b4fc-4a37-a07c-be2e33e0dfd6,42005135360,205746176,21788602368,node02.example.com,,,
"2010-02-10 00:00:02",high,192.168.0.3,tcp,50070,node03.example.com,"2.8.5, r0b8464d75227fcee2c6e7f2410377b3d53d3d5f8",64512,ZZ,Region,City,0,,namenode,CID-a072c782-e4f6-4940-aac5-da1174672d35,63278391296,524390,15604576422,node03.example.com,,,

Our 132 Report Types

« Back to Network Reporting