dhis2-devs team mailing list archive

[Lars Helge Øverland <larshelge@xxxxxxxxx>]

Hi Hannan,

I think this attack might also be related to the Struts exploit. We did see
random jsp files being uploaded at one occasion.

The fix for the Struts exploit was done in 2.12 at revision 11341, so it
means that you must upgrade your DHIS version (from 11312) in order to get
protection.

regards,

Lars



On Thu, Feb 6, 2014 at 9:18 AM, Jason Pickering <jason.p.pickering@xxxxxxxxx
> wrote:

> Hi Hannan,
> I had several servers (4 to be exact) which were compromised due to a
> vulnerability in Struts. Lars sent out an email a few weeks ago, that
> informed everyone they needed to upgrade immediately. I know of other
> server which have also been compromised. One was running Tomcat as root (an
> exceptionally bad idea). Because of the compromise, a full reinstallation
> of the server software would be required.
>
> In your case, it does seem to be a bit more serious, and not consistent
> with the previous compromises I have seen. These compromises were limited
> to the machine sending out a huge amount of traffic, but otherwise, there
> did not "seem" to be any further issues.
>
> A few tips, you may want to consider
>
> 0) A complete reinstall of the system might be in order, given the extent
> of the attack.
> 1) Be sure that the Tomcat process is not running as root, and that the
> user which can execute Tomcat cannot login to the system directly (i.e. has
> their shell set to /bin/false)
> 2) Close port 8080 and remove the Tomcat manager. Instead, only have port
> 80/443  on the machine open. Additionally, do not run SSH on port 22, and
> be sure that you can only login to the server with a key, which is
> protected itself by a strong password.
> 3) Consider attempting to look for vulnerabilities your self, with tools
> such as Nessus and Nmap
> 4) Ensure that you are running a firewall on the server itself, i.e. do
> not trust your upstream providers firewall.
> 5) Ensure that all Tomcat installs, Java,DHIS2 and the system software
> itself is fully up to date
> 6) Consider running an IDS such as OSSEC on your machine to look for
> unauthorized intrusions.
> 7) Use tools such as monit to monitor for spurious processes or suspicious
> file activity.
>
> Hope this helps.
>
> Best regards,
> Jason
>
>
>
>
>
> On Thu, Feb 6, 2014 at 8:36 AM, Hannan Khan <hannank@xxxxxxxxx> wrote:
>
>> Yes Morten, I installed through the package manager.
>>
>> The tomcat version is Apache Tomcat/7.0.26.
>>
>> Regards
>>
>> Hannan
>>
>>
>> On Thu, Feb 6, 2014 at 12:07 PM, Morten Olav Hansen <mortenoh@xxxxxxxxx>wrote:
>>
>>> Also make sure that your tomcat is up to date.. there exists several
>>> vulnerabilities in older versions
>>>
>>> (not sure how you installed it, but if you are using a linux
>>> distribution, its wise to install it through the package manager)
>>>
>>> --
>>> Morten
>>>
>>>
>>> On Thu, Feb 6, 2014 at 1:00 PM, Knut Staring <knutst@xxxxxxxxx> wrote:
>>>
>>>> Hannan, which build of DHIS2 ? Which Java version? Ubuntu?
>>>>
>>>> Sent from my mobile
>>>> On Feb 6, 2014 6:29 AM, "Hannan Khan" <hannank@xxxxxxxxx> wrote:
>>>>
>>>>> Dear experts
>>>>>
>>>>> Our main DHIS2 implementation (mishealth) for the health sector was
>>>>> hacked yesterday evening, around 4:30 PM local time. After login by any
>>>>> user it showing the attached message. We immediately stop the tomact7
>>>>> service and check the database. We find the database is intact.
>>>>>
>>>>> After investigation I find that the hacker inserted three files to do
>>>>> this.
>>>>>
>>>>> First file "index.html" contain an alert "alert("Admin, You Are Hacked
>>>>> by Malaysia Hacker!")"  and a body text <h1>Hacked by BadCat</h1>. Which
>>>>> was placed in the application folder /tomcat7/webapps/mishealth/.
>>>>>
>>>>> Second files "index.html" contain another script which redirects to "
>>>>> pastebin.com/raw.php?i=LZEdbBz6" was placed in
>>>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>>>
>>>>> Third file "guige.jsp" is contain a script was placed in
>>>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>>>
>>>>> For our server, it seems that only first file is executing after
>>>>> login. I find few more suspicious files which I am investigating and will
>>>>> share with the experts in next few days.
>>>>>
>>>>> I configured the server with only external open port is 8080. Other
>>>>> two ports (SSH and WEBMIN) are open for internal IP only. External access
>>>>> is possible only through VPN client. According to the firewall maintaining
>>>>> vendor, that hacker might access through 8080. How we prevent and secure
>>>>> that?
>>>>>
>>>>> I configure the database in other server and that server is only
>>>>> accessible through one private IP block. The tomcat server, the backup
>>>>> servers and our administrator/development team are in that block.
>>>>>
>>>>> Now please suggest how can we secure our servers more.
>>>>>
>>>>> Regards
>>>>>
>>>>> Muhammad Abdul Hannan Khan
>>>>> --------------------------------------------------
>>>>> Senior Technical Advisor - HIS
>>>>> Priority Area Health
>>>>> Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
>>>>> House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh
>>>>>
>>>>> T +880-2- 8816459, 8816412 ext 118
>>>>> M+88 01819 239 241
>>>>> M+88 01534 312 066
>>>>> F +88 02 8813 875
>>>>> E hannan.khan@xxxxxx
>>>>> S hannan.khan.dhaka
>>>>> B hannan-tech.blogspot.com
>>>>>
>>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>