dhis2-devs team mailing list archive

Thread
Date

Bangladesh's main DHIS2 installation hacked and solved

To: DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>, "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>, Knut Staring <knutst@xxxxxxxxx>, Lars Helge Øverland <larshelge@xxxxxxxxx>, Jan Henrik Øverland <janhenrik.overland@xxxxxxxxx>, Ola Hodne Titlestad <olatitle@xxxxxxxxx>, Morten Olav Hansen <mortenoh@xxxxxxxxx>, Bob Jolliffe <bobjolliffe@xxxxxxxxx>, Jørn Braa <jornbraa@xxxxxxxxx>
From: Hannan Khan <hannank@xxxxxxxxx>
Date: Thu, 6 Feb 2014 11:29:53 +0600

Dear experts

Our main DHIS2 implementation (mishealth) for the health sector was hacked
yesterday evening, around 4:30 PM local time. After login by any user it
showing the attached message. We immediately stop the tomact7 service and
check the database. We find the database is intact.

After investigation I find that the hacker inserted three files to do this.

First file "index.html" contain an alert "alert("Admin, You Are Hacked by
Malaysia Hacker!")"  and a body text <h1>Hacked by BadCat</h1>. Which was
placed in the application folder /tomcat7/webapps/mishealth/.

Second files "index.html" contain another script which redirects to "
pastebin.com/raw.php?i=LZEdbBz6" was placed in
the /tomcat7/webapps/mishealth/dhis-web-commons/security/.

Third file "guige.jsp" is contain a script was placed in
the /tomcat7/webapps/mishealth/dhis-web-commons/security/.

For our server, it seems that only first file is executing after login. I
find few more suspicious files which I am investigating and will share with
the experts in next few days.

I configured the server with only external open port is 8080. Other two
ports (SSH and WEBMIN) are open for internal IP only. External access is
possible only through VPN client. According to the firewall maintaining
vendor, that hacker might access through 8080. How we prevent and secure
that?

I configure the database in other server and that server is only accessible
through one private IP block. The tomcat server, the backup servers and our
administrator/development team are in that block.

Now please suggest how can we secure our servers more.

Regards

Muhammad Abdul Hannan Khan
--------------------------------------------------
Senior Technical Advisor - HIS
Priority Area Health
Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh

T +880-2- 8816459, 8816412 ext 118
M+88 01819 239 241
M+88 01534 312 066
F +88 02 8813 875
E hannan.khan@xxxxxx
S hannan.khan.dhaka
B hannan-tech.blogspot.com

Attachment: hacked_screenshot.docx
Description: application/vnd.openxmlformats-officedocument.wordprocessingml.document

Follow ups

Re: Bangladesh's main DHIS2 installation hacked and solved
From: Knut Staring, 2014-02-06