dhis2-devs team mailing list archive

[Ngoc Thanh Nguyen <thanh.hispvietnam@xxxxxxxxx>]

Excellent Bob. i think we use tomcat manager. Then it is the problem.

On Tuesday, October 22, 2013, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
> Hi Thanh
> Never seen this.  But to answer how they could be uploaded to your
folder, there are many many ways.
> First check that they are not bundled in your war file to start with
(Just to be paranoid I just rechecked the standard download from dhis2.org).
 ie. be sure it is not the developer who is unwittingly (or wittingly!)
spreading this.
> Then you need to tell us more about how your tomcat is deployed and on
what.
> Basically you are looking at two possibilities - your operating system is
compromised and the offending items have been copied in to the webapps
folder. There are obviously a couple of ways this could happen.  Or a
weakness is being exposed by an application running on the webserver itself.
> The second is more likely.  The first would assume that you really do
have enemies who want to get you and know how (I guess not to be
dismissed!) whereas the second would be more likely to be a robotic sort of
attack which targets your server for the simple reason that it is
vulnerable.
> A quick checklist:
> 1.  Is tomcat running as root user?  I see this so many times.  Do not
run it as root as if it is compromised the damage cannot be easily limited
> 2.  Are you running the tomcat manager application?  My guess is that
probably it would require the manager application to be able to make such
modifications to existing webapps.  And there are many known
vulnerabilities to this which are being revealed and plugged regularly.  If
you must run it then you need to secure which ips have access to it and not
expose it the internet.  Note if you just downloaded tomcat binary as is
from the internet and unpacked that in all its glory you will be running
the manager by default.
> 3.  Are you running behind a proxy (nginx/apache)?  You should always do
this as it can provide an additional layer of protection to your tomcat
(performance protection with caching, transport protection with ssl, tomcat
misconfiguration protection).  To be really effective of course you make
sure tomcat is only listening on localhost interface.
> 4.  Are you using ssl to protect passwords?
> There's lots of other good avice here
http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html .
> Don't destroy the audit trail when you clean up after this mess - ie.
keep a copy of all log files as the offending jsps.  Then start again,
carefully.
> Have you looked in to the contents of those files?  Could be there are
clues there ...
> Bob
>
> On 22 October 2013 05:30, Ngoc Thanh Nguyen <thanh.hispvietnam@xxxxxxxxx>
wrote:
>>
>> Hi all,
>> In the server we found some strange files, definitely malicious.
>> How could they upload them to dhis2 folder? Any one have the same
problem?
>>
</mail/u/0/s/?view=att&th=141dfa22127061b9&attid=0.1&disp=emb&realattid=ii_141de6c36edfbe55&zw&atsh=1>
>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help   : https://help.launchpad.net/ListHelp
>>
>
>

-- 
*Nguyễn Ngọc Thành*