← Back to team overview

dhis2-devs team mailing list archive

Re: Malicious uploaded files to dhis. Tomcat bug or dhis?

 

I didn't say it is the problem.  Just one likely vulnerability in your
setup.  But do get rid of it and any other demo applications or whatever
which might be running.


On 22 October 2013 11:38, Ngoc Thanh Nguyen <thanh.hispvietnam@xxxxxxxxx>wrote:

> Excellent Bob. i think we use tomcat manager. Then it is the problem.
>
>
> On Tuesday, October 22, 2013, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
> > Hi Thanh
> > Never seen this.  But to answer how they could be uploaded to your
> folder, there are many many ways.
> > First check that they are not bundled in your war file to start with
> (Just to be paranoid I just rechecked the standard download from dhis2.org).
>  ie. be sure it is not the developer who is unwittingly (or wittingly!)
> spreading this.
> > Then you need to tell us more about how your tomcat is deployed and on
> what.
> > Basically you are looking at two possibilities - your operating system
> is compromised and the offending items have been copied in to the webapps
> folder. There are obviously a couple of ways this could happen.  Or a
> weakness is being exposed by an application running on the webserver itself.
> > The second is more likely.  The first would assume that you really do
> have enemies who want to get you and know how (I guess not to be
> dismissed!) whereas the second would be more likely to be a robotic sort of
> attack which targets your server for the simple reason that it is
> vulnerable.
> > A quick checklist:
> > 1.  Is tomcat running as root user?  I see this so many times.  Do not
> run it as root as if it is compromised the damage cannot be easily limited
> > 2.  Are you running the tomcat manager application?  My guess is that
> probably it would require the manager application to be able to make such
> modifications to existing webapps.  And there are many known
> vulnerabilities to this which are being revealed and plugged regularly.  If
> you must run it then you need to secure which ips have access to it and not
> expose it the internet.  Note if you just downloaded tomcat binary as is
> from the internet and unpacked that in all its glory you will be running
> the manager by default.
> > 3.  Are you running behind a proxy (nginx/apache)?  You should always do
> this as it can provide an additional layer of protection to your tomcat
> (performance protection with caching, transport protection with ssl, tomcat
> misconfiguration protection).  To be really effective of course you make
> sure tomcat is only listening on localhost interface.
> > 4.  Are you using ssl to protect passwords?
> > There's lots of other good avice here
> http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html .
> > Don't destroy the audit trail when you clean up after this mess - ie.
> keep a copy of all log files as the offending jsps.  Then start again,
> carefully.
> > Have you looked in to the contents of those files?  Could be there are
> clues there ...
> > Bob
> >
> > On 22 October 2013 05:30, Ngoc Thanh Nguyen <thanh.hispvietnam@xxxxxxxxx>
> wrote:
> >>
> >> Hi all,
> >> In the server we found some strange files, definitely malicious.
> >> How could they upload them to dhis2 folder? Any one have the same
> problem?
> >>
> </mail/u/0/s/?view=att&th=141dfa22127061b9&attid=0.1&disp=emb&realattid=ii_141de6c36edfbe55&zw&atsh=1>
>
> >>
> >>
> >> _______________________________________________
> >> Mailing list: https://launchpad.net/~dhis2-devs
> >> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> >> Unsubscribe : https://launchpad.net/~dhis2-devs
> >> More help   : https://help.launchpad.net/ListHelp
> >>
> >
> >
>
> --
> *Nguyễn Ngọc Thành*
>
>
>

References