← Back to team overview

dhis2-devs team mailing list archive

Re: Bangladesh's main DHIS2 installation hacked and solved

 

Thanks Bob.

My earlier attempt to configure nginx failed. I will try again this month.

Regards

Hannan


On Thu, Feb 6, 2014 at 10:09 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:

> Hi Hannan
>
> I agree with Lars that what you describe (uploading of malicious files)
> sounds like an exploitation of the vulnerability in struts fixed around
> Christmas.
>
> I also agree that you don't want to run tomcat on port 80.  The
> recommended configuration is to run a web proxy such as nginx or apache2 on
> port 80 and 443.  Then tomcat can listen on port 8080 on localhost only.
>
>
> On 6 February 2014 14:54, Hannan Khan <hannank@xxxxxxxxx> wrote:
>
>> Thanks Jason for your comprehensive advice.
>>
>> I tried to identify problem roots and I believe I find those files. And
>> there is no problem so far.
>> From the beginning I am running tomcat service as user who cannot login
>> to the system.
>> Point 2 and 3 I have to do. But earlier our another serer running on port
>> 80 severely damaged by hacker attack (web server). I will be keep in-touch
>> on this.
>> Any firewall you suggests? Also consider we have very narrow bandwidth;
>> only 10 Mbps for 9 dhis2 systems with near about 12000 users average 300
>> concurrent user in top three systems;
>> Updates we are run weekly basis.
>> Point 6 and 7 I will do. How that will effect the system performance?
>>
>> Regards
>>
>> Hannan
>>
>>
>>
>> On Thu, Feb 6, 2014 at 1:18 PM, Jason Pickering <
>> jason.p.pickering@xxxxxxxxx> wrote:
>>
>>> Hi Hannan,
>>> I had several servers (4 to be exact) which were compromised due to a
>>> vulnerability in Struts. Lars sent out an email a few weeks ago, that
>>> informed everyone they needed to upgrade immediately. I know of other
>>> server which have also been compromised. One was running Tomcat as root (an
>>> exceptionally bad idea). Because of the compromise, a full reinstallation
>>> of the server software would be required.
>>>
>>> In your case, it does seem to be a bit more serious, and not consistent
>>> with the previous compromises I have seen. These compromises were limited
>>> to the machine sending out a huge amount of traffic, but otherwise, there
>>> did not "seem" to be any further issues.
>>>
>>> A few tips, you may want to consider
>>>
>>> 0) A complete reinstall of the system might be in order, given the
>>> extent of the attack.
>>> 1) Be sure that the Tomcat process is not running as root, and that the
>>> user which can execute Tomcat cannot login to the system directly (i.e. has
>>> their shell set to /bin/false)
>>> 2) Close port 8080 and remove the Tomcat manager. Instead, only have
>>> port 80/443  on the machine open. Additionally, do not run SSH on port 22,
>>> and be sure that you can only login to the server with a key, which is
>>> protected itself by a strong password.
>>> 3) Consider attempting to look for vulnerabilities your self, with tools
>>> such as Nessus and Nmap
>>> 4) Ensure that you are running a firewall on the server itself, i.e. do
>>> not trust your upstream providers firewall.
>>> 5) Ensure that all Tomcat installs, Java,DHIS2 and the system software
>>> itself is fully up to date
>>> 6) Consider running an IDS such as OSSEC on your machine to look for
>>> unauthorized intrusions.
>>> 7) Use tools such as monit to monitor for spurious processes or
>>> suspicious file activity.
>>>
>>> Hope this helps.
>>>
>>> Best regards,
>>> Jason
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Feb 6, 2014 at 8:36 AM, Hannan Khan <hannank@xxxxxxxxx> wrote:
>>>
>>>> Yes Morten, I installed through the package manager.
>>>>
>>>> The tomcat version is Apache Tomcat/7.0.26.
>>>>
>>>> Regards
>>>>
>>>> Hannan
>>>>
>>>>
>>>> On Thu, Feb 6, 2014 at 12:07 PM, Morten Olav Hansen <mortenoh@xxxxxxxxx
>>>> > wrote:
>>>>
>>>>> Also make sure that your tomcat is up to date.. there exists several
>>>>> vulnerabilities in older versions
>>>>>
>>>>> (not sure how you installed it, but if you are using a linux
>>>>> distribution, its wise to install it through the package manager)
>>>>>
>>>>> --
>>>>> Morten
>>>>>
>>>>>
>>>>> On Thu, Feb 6, 2014 at 1:00 PM, Knut Staring <knutst@xxxxxxxxx> wrote:
>>>>>
>>>>>> Hannan, which build of DHIS2 ? Which Java version? Ubuntu?
>>>>>>
>>>>>> Sent from my mobile
>>>>>> On Feb 6, 2014 6:29 AM, "Hannan Khan" <hannank@xxxxxxxxx> wrote:
>>>>>>
>>>>>>> Dear experts
>>>>>>>
>>>>>>> Our main DHIS2 implementation (mishealth) for the health sector was
>>>>>>> hacked yesterday evening, around 4:30 PM local time. After login by any
>>>>>>> user it showing the attached message. We immediately stop the tomact7
>>>>>>> service and check the database. We find the database is intact.
>>>>>>>
>>>>>>> After investigation I find that the hacker inserted three files to
>>>>>>> do this.
>>>>>>>
>>>>>>> First file "index.html" contain an alert "alert("Admin, You Are
>>>>>>> Hacked by Malaysia Hacker!")"  and a body text <h1>Hacked by BadCat</h1>.
>>>>>>> Which was placed in the application folder /tomcat7/webapps/mishealth/.
>>>>>>>
>>>>>>> Second files "index.html" contain another script which redirects to "
>>>>>>> pastebin.com/raw.php?i=LZEdbBz6" was placed in
>>>>>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>>>>>
>>>>>>> Third file "guige.jsp" is contain a script was placed in
>>>>>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>>>>>
>>>>>>> For our server, it seems that only first file is executing after
>>>>>>> login. I find few more suspicious files which I am investigating and will
>>>>>>> share with the experts in next few days.
>>>>>>>
>>>>>>> I configured the server with only external open port is 8080. Other
>>>>>>> two ports (SSH and WEBMIN) are open for internal IP only. External access
>>>>>>> is possible only through VPN client. According to the firewall maintaining
>>>>>>> vendor, that hacker might access through 8080. How we prevent and secure
>>>>>>> that?
>>>>>>>
>>>>>>> I configure the database in other server and that server is only
>>>>>>> accessible through one private IP block. The tomcat server, the backup
>>>>>>> servers and our administrator/development team are in that block.
>>>>>>>
>>>>>>> Now please suggest how can we secure our servers more.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Muhammad Abdul Hannan Khan
>>>>>>> --------------------------------------------------
>>>>>>> Senior Technical Advisor - HIS
>>>>>>> Priority Area Health
>>>>>>> Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
>>>>>>> House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh
>>>>>>>
>>>>>>> T +880-2- 8816459, 8816412 ext 118
>>>>>>> M+88 01819 239 241
>>>>>>> M+88 01534 312 066
>>>>>>> F +88 02 8813 875
>>>>>>> E hannan.khan@xxxxxx
>>>>>>> S hannan.khan.dhaka
>>>>>>> B hannan-tech.blogspot.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Mailing list: https://launchpad.net/~dhis2-devs
>>>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>>>> Unsubscribe : https://launchpad.net/~dhis2-devs
>>>> More help   : https://help.launchpad.net/ListHelp
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Mailing list: https://launchpad.net/~dhis2-devs
>> Post to     : dhis2-devs@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~dhis2-devs
>> More help   : https://help.launchpad.net/ListHelp
>>
>>
>

References