dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #25709
Re: Malicious uploaded files to dhis. Tomcat bug or dhis?
Hi Thanh
Never seen this. But to answer how they could be uploaded to your folder,
there are many many ways.
First check that they are not bundled in your war file to start with (Just
to be paranoid I just rechecked the standard download from dhis2.org). ie.
be sure it is not the developer who is unwittingly (or wittingly!)
spreading this.
Then you need to tell us more about how your tomcat is deployed and on
what.
Basically you are looking at two possibilities - your operating system is
compromised and the offending items have been copied in to the webapps
folder. There are obviously a couple of ways this could happen. Or a
weakness is being exposed by an application running on the webserver itself.
The second is more likely. The first would assume that you really do have
enemies who want to get you and know how (I guess not to be dismissed!)
whereas the second would be more likely to be a robotic sort of attack
which targets your server for the simple reason that it is vulnerable.
A quick checklist:
1. Is tomcat running as root user? I see this so many times. Do not run
it as root as if it is compromised the damage cannot be easily limited
2. Are you running the tomcat manager application? My guess is that
probably it would require the manager application to be able to make such
modifications to existing webapps. And there are many known
vulnerabilities to this which are being revealed and plugged regularly. If
you must run it then you need to secure which ips have access to it and not
expose it the internet. Note if you just downloaded tomcat binary as is
from the internet and unpacked that in all its glory you will be running
the manager by default.
3. Are you running behind a proxy (nginx/apache)? You should always do
this as it can provide an additional layer of protection to your tomcat
(performance protection with caching, transport protection with ssl, tomcat
misconfiguration protection). To be really effective of course you make
sure tomcat is only listening on localhost interface.
4. Are you using ssl to protect passwords?
There's lots of other good avice here
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html .
Don't destroy the audit trail when you clean up after this mess - ie. keep
a copy of all log files as the offending jsps. Then start again, carefully.
Have you looked in to the contents of those files? Could be there are
clues there ...
Bob
On 22 October 2013 05:30, Ngoc Thanh Nguyen <thanh.hispvietnam@xxxxxxxxx>wrote:
> Hi all,
>
> In the server we found some strange files, definitely malicious.
>
> How could they upload them to dhis2 folder? Any one have the same problem?
>
> [image: Inline image 1]
>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help : https://help.launchpad.net/ListHelp
>
>
Follow ups
References