dhis2-devs team mailing list archive

Thread
Date

Re: Bangladesh's main DHIS2 installation hacked and solved

To: Knut Staring <knutst@xxxxxxxxx>
From: Hannan Khan <hannank@xxxxxxxxx>
Date: Thu, 6 Feb 2014 12:32:28 +0600
Cc: "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>, DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>
In-reply-to: <CAL=8=Nj8PTGxBCZ+tza96YbfGBK0+qwY+qhYA0BEjyhQyS1AmA@mail.gmail.com>

For this implementation we are using DHIS2 version 2.12 build 11312. This
version will be upgraded to version 13 this evening.

Java version 1.7.0_25 OpenJDK 64 bit server

Ubuntu 12.04.2.


On Thu, Feb 6, 2014 at 12:00 PM, Knut Staring <knutst@xxxxxxxxx> wrote:

> Hannan, which build of DHIS2 ? Which Java version? Ubuntu?
>
> Sent from my mobile
> On Feb 6, 2014 6:29 AM, "Hannan Khan" <hannank@xxxxxxxxx> wrote:
>
>> Dear experts
>>
>> Our main DHIS2 implementation (mishealth) for the health sector was
>> hacked yesterday evening, around 4:30 PM local time. After login by any
>> user it showing the attached message. We immediately stop the tomact7
>> service and check the database. We find the database is intact.
>>
>> After investigation I find that the hacker inserted three files to do
>> this.
>>
>> First file "index.html" contain an alert "alert("Admin, You Are Hacked by
>> Malaysia Hacker!")"  and a body text <h1>Hacked by BadCat</h1>. Which was
>> placed in the application folder /tomcat7/webapps/mishealth/.
>>
>> Second files "index.html" contain another script which redirects to "
>> pastebin.com/raw.php?i=LZEdbBz6" was placed in
>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>
>> Third file "guige.jsp" is contain a script was placed in
>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>
>> For our server, it seems that only first file is executing after login. I
>> find few more suspicious files which I am investigating and will share with
>> the experts in next few days.
>>
>> I configured the server with only external open port is 8080. Other two
>> ports (SSH and WEBMIN) are open for internal IP only. External access is
>> possible only through VPN client. According to the firewall maintaining
>> vendor, that hacker might access through 8080. How we prevent and secure
>> that?
>>
>> I configure the database in other server and that server is only
>> accessible through one private IP block. The tomcat server, the backup
>> servers and our administrator/development team are in that block.
>>
>> Now please suggest how can we secure our servers more.
>>
>> Regards
>>
>> Muhammad Abdul Hannan Khan
>> --------------------------------------------------
>> Senior Technical Advisor - HIS
>> Priority Area Health
>> Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
>> House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh
>>
>> T +880-2- 8816459, 8816412 ext 118
>> M+88 01819 239 241
>> M+88 01534 312 066
>> F +88 02 8813 875
>> E hannan.khan@xxxxxx
>> S hannan.khan.dhaka
>> B hannan-tech.blogspot.com
>>
>>
>

References

Bangladesh's main DHIS2 installation hacked and solved
From: Hannan Khan, 2014-02-06
Re: Bangladesh's main DHIS2 installation hacked and solved
From: Knut Staring, 2014-02-06