dhis2-devs team mailing list archive
-
dhis2-devs team
-
Mailing list archive
-
Message #27979
Re: Bangladesh's main DHIS2 installation hacked and solved
Hi Hannan,
I had several servers (4 to be exact) which were compromised due to a
vulnerability in Struts. Lars sent out an email a few weeks ago, that
informed everyone they needed to upgrade immediately. I know of other
server which have also been compromised. One was running Tomcat as root (an
exceptionally bad idea). Because of the compromise, a full reinstallation
of the server software would be required.
In your case, it does seem to be a bit more serious, and not consistent
with the previous compromises I have seen. These compromises were limited
to the machine sending out a huge amount of traffic, but otherwise, there
did not "seem" to be any further issues.
A few tips, you may want to consider
0) A complete reinstall of the system might be in order, given the extent
of the attack.
1) Be sure that the Tomcat process is not running as root, and that the
user which can execute Tomcat cannot login to the system directly (i.e. has
their shell set to /bin/false)
2) Close port 8080 and remove the Tomcat manager. Instead, only have port
80/443 on the machine open. Additionally, do not run SSH on port 22, and
be sure that you can only login to the server with a key, which is
protected itself by a strong password.
3) Consider attempting to look for vulnerabilities your self, with tools
such as Nessus and Nmap
4) Ensure that you are running a firewall on the server itself, i.e. do not
trust your upstream providers firewall.
5) Ensure that all Tomcat installs, Java,DHIS2 and the system software
itself is fully up to date
6) Consider running an IDS such as OSSEC on your machine to look for
unauthorized intrusions.
7) Use tools such as monit to monitor for spurious processes or suspicious
file activity.
Hope this helps.
Best regards,
Jason
On Thu, Feb 6, 2014 at 8:36 AM, Hannan Khan <hannank@xxxxxxxxx> wrote:
> Yes Morten, I installed through the package manager.
>
> The tomcat version is Apache Tomcat/7.0.26.
>
> Regards
>
> Hannan
>
>
> On Thu, Feb 6, 2014 at 12:07 PM, Morten Olav Hansen <mortenoh@xxxxxxxxx>wrote:
>
>> Also make sure that your tomcat is up to date.. there exists several
>> vulnerabilities in older versions
>>
>> (not sure how you installed it, but if you are using a linux
>> distribution, its wise to install it through the package manager)
>>
>> --
>> Morten
>>
>>
>> On Thu, Feb 6, 2014 at 1:00 PM, Knut Staring <knutst@xxxxxxxxx> wrote:
>>
>>> Hannan, which build of DHIS2 ? Which Java version? Ubuntu?
>>>
>>> Sent from my mobile
>>> On Feb 6, 2014 6:29 AM, "Hannan Khan" <hannank@xxxxxxxxx> wrote:
>>>
>>>> Dear experts
>>>>
>>>> Our main DHIS2 implementation (mishealth) for the health sector was
>>>> hacked yesterday evening, around 4:30 PM local time. After login by any
>>>> user it showing the attached message. We immediately stop the tomact7
>>>> service and check the database. We find the database is intact.
>>>>
>>>> After investigation I find that the hacker inserted three files to do
>>>> this.
>>>>
>>>> First file "index.html" contain an alert "alert("Admin, You Are Hacked
>>>> by Malaysia Hacker!")" and a body text <h1>Hacked by BadCat</h1>. Which
>>>> was placed in the application folder /tomcat7/webapps/mishealth/.
>>>>
>>>> Second files "index.html" contain another script which redirects to "
>>>> pastebin.com/raw.php?i=LZEdbBz6" was placed in
>>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>>
>>>> Third file "guige.jsp" is contain a script was placed in
>>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>>
>>>> For our server, it seems that only first file is executing after login.
>>>> I find few more suspicious files which I am investigating and will share
>>>> with the experts in next few days.
>>>>
>>>> I configured the server with only external open port is 8080. Other two
>>>> ports (SSH and WEBMIN) are open for internal IP only. External access is
>>>> possible only through VPN client. According to the firewall maintaining
>>>> vendor, that hacker might access through 8080. How we prevent and secure
>>>> that?
>>>>
>>>> I configure the database in other server and that server is only
>>>> accessible through one private IP block. The tomcat server, the backup
>>>> servers and our administrator/development team are in that block.
>>>>
>>>> Now please suggest how can we secure our servers more.
>>>>
>>>> Regards
>>>>
>>>> Muhammad Abdul Hannan Khan
>>>> --------------------------------------------------
>>>> Senior Technical Advisor - HIS
>>>> Priority Area Health
>>>> Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
>>>> House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh
>>>>
>>>> T +880-2- 8816459, 8816412 ext 118
>>>> M+88 01819 239 241
>>>> M+88 01534 312 066
>>>> F +88 02 8813 875
>>>> E hannan.khan@xxxxxx
>>>> S hannan.khan.dhaka
>>>> B hannan-tech.blogspot.com
>>>>
>>>>
>>>
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help : https://help.launchpad.net/ListHelp
>
>
Follow ups
References