dhis2-devs team mailing list archive

[Brajesh Murari <brajesh.murari@xxxxxxxxx>]

Hello BOB,


On Tuesday, 22 October 2013 3:39 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
 
Hi Thanh

Never seen this.  But to answer how they could be uploaded to your folder, there are many many ways.

First check that they are not bundled in your war file to start with (Just to be paranoid I just rechecked the standard download from dhis2.org).  ie. be sure it is not the developer who is unwittingly (or wittingly!) spreading this.

Then you need to tell us more about how your tomcat is deployed and on what.  

Basically you are looking at two possibilities - your operating system is compromised and the offending items have been copied in to the webapps folder. There are obviously a couple of ways this could happen.  Or a weakness is being exposed by an application running on the webserver itself.

The second is more likely.  The first would assume that you really do have enemies who want to get you and know how (I guess not to be dismissed!) whereas the second would be more likely to be a robotic sort of attack which targets your server for the simple reason that it is vulnerable.  

>>> It seems you have joined some couple and short of short range, medium range and long range Inter Continental Ballistic Missile (ICBM) type of development programmer or some short of Polar Satellite Launch Vaicle (PSLV) type of programme . I would rather and perhaps suggest you to focus in diameter of more likely in mother and child health application development programme for life saving things only. 

>>> Agreed, heavy weighted .jsp had never been part of DHIS 2 application development from the beginning and should be excluded and should use more general velocity templates as the standard coding convention used in DHIS 2 application development.


A quick checklist:
1.  Is tomcat running as root user?  I see this so many times.  Do not run it as root as if it is compromised the damage cannot be easily limited
2.  Are you running the tomcat manager application?  My guess is that probably it would require the manager application to be able to make such modifications to existing webapps.  And there are many known vulnerabilities to this which are being revealed and plugged regularly.  If you must run it then you need to secure which ips have access to it and not expose it the internet.  Note if you just downloaded tomcat binary as is from the internet and unpacked that in all its glory you will be running the manager by default.
3.  Are you running behind a proxy (nginx/apache)?  You should always do this as it can provide an additional layer of protection to your tomcat (performance protection with caching, transport protection with ssl, tomcat misconfiguration protection).  To be really effective of course you make sure tomcat is only listening on localhost interface.
4.  Are you using ssl to protect passwords? 

There's lots of other good avice here http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html ;.  

Don't destroy the audit trail when you clean up after this mess - ie. keep a copy of all log files as the offending jsps.  Then start again, carefully.

Have you looked in to the contents of those files?  Could be there are clues there ...

Bob



On 22 October 2013 05:30, Ngoc Thanh Nguyen <thanh.hispvietnam@xxxxxxxxx> wrote:

Hi all,
>
>
>In the server we found some strange files, definitely malicious. 
>
>
>How could they upload them to dhis2 folder? Any one have the same problem?
>
>
>
>
>
>_______________________________________________
>Mailing list: https://launchpad.net/~dhis2-devs
>Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>Unsubscribe : https://launchpad.net/~dhis2-devs
>More help   : https://help.launchpad.net/ListHelp
>
>


_______________________________________________
Mailing list: https://launchpad.net/~dhis2-devs
Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
Unsubscribe : https://launchpad.net/~dhis2-devs
More help   : https://help.launchpad.net/ListHelp

Regards,
Brajesh Murari