dhis2-devs team mailing list archive

[Bob Jolliffe <bobjolliffe@xxxxxxxxx>]

Hi Hannan

I agree with Lars that what you describe (uploading of malicious files)
sounds like an exploitation of the vulnerability in struts fixed around
Christmas.

I also agree that you don't want to run tomcat on port 80.  The recommended
configuration is to run a web proxy such as nginx or apache2 on port 80 and
443.  Then tomcat can listen on port 8080 on localhost only.


On 6 February 2014 14:54, Hannan Khan <hannank@xxxxxxxxx> wrote:

> Thanks Jason for your comprehensive advice.
>
> I tried to identify problem roots and I believe I find those files. And
> there is no problem so far.
> From the beginning I am running tomcat service as user who cannot login to
> the system.
> Point 2 and 3 I have to do. But earlier our another serer running on port
> 80 severely damaged by hacker attack (web server). I will be keep in-touch
> on this.
> Any firewall you suggests? Also consider we have very narrow bandwidth;
> only 10 Mbps for 9 dhis2 systems with near about 12000 users average 300
> concurrent user in top three systems;
> Updates we are run weekly basis.
> Point 6 and 7 I will do. How that will effect the system performance?
>
> Regards
>
> Hannan
>
>
>
> On Thu, Feb 6, 2014 at 1:18 PM, Jason Pickering <
> jason.p.pickering@xxxxxxxxx> wrote:
>
>> Hi Hannan,
>> I had several servers (4 to be exact) which were compromised due to a
>> vulnerability in Struts. Lars sent out an email a few weeks ago, that
>> informed everyone they needed to upgrade immediately. I know of other
>> server which have also been compromised. One was running Tomcat as root (an
>> exceptionally bad idea). Because of the compromise, a full reinstallation
>> of the server software would be required.
>>
>> In your case, it does seem to be a bit more serious, and not consistent
>> with the previous compromises I have seen. These compromises were limited
>> to the machine sending out a huge amount of traffic, but otherwise, there
>> did not "seem" to be any further issues.
>>
>> A few tips, you may want to consider
>>
>> 0) A complete reinstall of the system might be in order, given the extent
>> of the attack.
>> 1) Be sure that the Tomcat process is not running as root, and that the
>> user which can execute Tomcat cannot login to the system directly (i.e. has
>> their shell set to /bin/false)
>> 2) Close port 8080 and remove the Tomcat manager. Instead, only have port
>> 80/443  on the machine open. Additionally, do not run SSH on port 22, and
>> be sure that you can only login to the server with a key, which is
>> protected itself by a strong password.
>> 3) Consider attempting to look for vulnerabilities your self, with tools
>> such as Nessus and Nmap
>> 4) Ensure that you are running a firewall on the server itself, i.e. do
>> not trust your upstream providers firewall.
>> 5) Ensure that all Tomcat installs, Java,DHIS2 and the system software
>> itself is fully up to date
>> 6) Consider running an IDS such as OSSEC on your machine to look for
>> unauthorized intrusions.
>> 7) Use tools such as monit to monitor for spurious processes or
>> suspicious file activity.
>>
>> Hope this helps.
>>
>> Best regards,
>> Jason
>>
>>
>>
>>
>>
>> On Thu, Feb 6, 2014 at 8:36 AM, Hannan Khan <hannank@xxxxxxxxx> wrote:
>>
>>> Yes Morten, I installed through the package manager.
>>>
>>> The tomcat version is Apache Tomcat/7.0.26.
>>>
>>> Regards
>>>
>>> Hannan
>>>
>>>
>>> On Thu, Feb 6, 2014 at 12:07 PM, Morten Olav Hansen <mortenoh@xxxxxxxxx>wrote:
>>>
>>>> Also make sure that your tomcat is up to date.. there exists several
>>>> vulnerabilities in older versions
>>>>
>>>> (not sure how you installed it, but if you are using a linux
>>>> distribution, its wise to install it through the package manager)
>>>>
>>>> --
>>>> Morten
>>>>
>>>>
>>>> On Thu, Feb 6, 2014 at 1:00 PM, Knut Staring <knutst@xxxxxxxxx> wrote:
>>>>
>>>>> Hannan, which build of DHIS2 ? Which Java version? Ubuntu?
>>>>>
>>>>> Sent from my mobile
>>>>> On Feb 6, 2014 6:29 AM, "Hannan Khan" <hannank@xxxxxxxxx> wrote:
>>>>>
>>>>>> Dear experts
>>>>>>
>>>>>> Our main DHIS2 implementation (mishealth) for the health sector was
>>>>>> hacked yesterday evening, around 4:30 PM local time. After login by any
>>>>>> user it showing the attached message. We immediately stop the tomact7
>>>>>> service and check the database. We find the database is intact.
>>>>>>
>>>>>> After investigation I find that the hacker inserted three files to do
>>>>>> this.
>>>>>>
>>>>>> First file "index.html" contain an alert "alert("Admin, You Are
>>>>>> Hacked by Malaysia Hacker!")"  and a body text <h1>Hacked by BadCat</h1>.
>>>>>> Which was placed in the application folder /tomcat7/webapps/mishealth/.
>>>>>>
>>>>>> Second files "index.html" contain another script which redirects to "
>>>>>> pastebin.com/raw.php?i=LZEdbBz6" was placed in
>>>>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>>>>
>>>>>> Third file "guige.jsp" is contain a script was placed in
>>>>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>>>>
>>>>>> For our server, it seems that only first file is executing after
>>>>>> login. I find few more suspicious files which I am investigating and will
>>>>>> share with the experts in next few days.
>>>>>>
>>>>>> I configured the server with only external open port is 8080. Other
>>>>>> two ports (SSH and WEBMIN) are open for internal IP only. External access
>>>>>> is possible only through VPN client. According to the firewall maintaining
>>>>>> vendor, that hacker might access through 8080. How we prevent and secure
>>>>>> that?
>>>>>>
>>>>>> I configure the database in other server and that server is only
>>>>>> accessible through one private IP block. The tomcat server, the backup
>>>>>> servers and our administrator/development team are in that block.
>>>>>>
>>>>>> Now please suggest how can we secure our servers more.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Muhammad Abdul Hannan Khan
>>>>>> --------------------------------------------------
>>>>>> Senior Technical Advisor - HIS
>>>>>> Priority Area Health
>>>>>> Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
>>>>>> House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh
>>>>>>
>>>>>> T +880-2- 8816459, 8816412 ext 118
>>>>>> M+88 01819 239 241
>>>>>> M+88 01534 312 066
>>>>>> F +88 02 8813 875
>>>>>> E hannan.khan@xxxxxx
>>>>>> S hannan.khan.dhaka
>>>>>> B hannan-tech.blogspot.com
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> Mailing list: https://launchpad.net/~dhis2-devs
>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>> More help   : https://help.launchpad.net/ListHelp
>>>
>>>
>>
>
> _______________________________________________
> Mailing list: https://launchpad.net/~dhis2-devs
> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~dhis2-devs
> More help   : https://help.launchpad.net/ListHelp
>
>