dhis2-devs team mailing list archive

Thread
Date

Re: Server processor use 100%

To: Bob Jolliffe <bobjolliffe@xxxxxxxxx>
From: Hannan Khan <hannank@xxxxxxxxx>
Date: Thu, 13 Jul 2017 22:16:52 +0600
Cc: Lars Helge Øverland <larshelge@xxxxxxxxx>, "dhis2-users@xxxxxxxxxxxxxxxxxxx" <dhis2-users@xxxxxxxxxxxxxxxxxxx>, DHIS 2 developers <dhis2-devs@xxxxxxxxxxxxxxxxxxx>, Morten Olav Hansen <mortenoh@xxxxxxxxx>
In-reply-to: <CACd=f9ev=Ust8b7YzSqkTDzxh-7rxugnRK2TF0BoVdXwq+hT3w@mail.gmail.com>

Thanks Bob.

On Thu, Jul 13, 2017 at 10:13 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
wrote:

> Yes, Hannan that is similar to what I have seen a number of times this
> year.  The attacker makes use of atd and/or crontab to execute malicious
> code.  The good thing is that your tomcat was not running as root which
> would be potentially more damaging.
>
> Obviously with access to the tomcat user then access to the database
> itself has been exposed.  There is no indication that the database was the
> target of previous exploits so probably (hopefully) that is your case too.
> It is a really good illustration though of why, when you have multiple
> instances attaching to a database server, you should always use a separate
> database role/user for each.  So when one database is exposed (through
> access to dhis.conf), at least they are not all exposed.
>
> Enjoy your holiday.  I am hoping to get off as well soon :-)
>
> Regards
> Bob
>
> On 13 July 2017 at 16:01, Hannan Khan <hannank@xxxxxxxxx> wrote:
>
>> Dear Bob
>>
>> Sorry for replaying late. I quite busy to complete few incomplete tasks
>> before I am going on holiday tomorrow for a week.
>>
>> I have checked for few day with various options and my conclusion is that
>> the security hole might be created by our old war file (version 16) with
>> Stuart vulnerability which Lars warn all of us earlier. We upgraded all our
>> servers and applications except this server. No suspicious files in the tmp
>> folders.
>>
>> It took control of Tomcat8 user and run SSHD and occupies 100% of 2
>> processors. When we kill the process and remove all war files and stop
>> tomcat8 service it stared ATD command and it also occupy 100% of 2
>> processors. The data seems intact (through query and size). As our all DB
>> servers have similar IP structure we immediately remove tomcat8 service,
>> package and user. The VM server will also be decommissioned and will setup
>> a new server with new cardinals. I will start upgrade work after I return.
>>
>> Thank you for your valuable advice and kind concern.
>>
>> Best regards
>>
>> Hannan
>>
>> On Mon, Jul 10, 2017 at 8:21 PM, Bob Jolliffe <bobjolliffe@xxxxxxxxx>
>> wrote:
>>
>>> Sorry that should have been 'ls -la /tmp'
>>>
>>> On 10 July 2017 at 10:50, Bob Jolliffe <bobjolliffe@xxxxxxxxx> wrote:
>>>
>>>> Hi Hannan
>>>>
>>>> There is no circumstance that tomcat user should be running the sshd
>>>> command.  It could be this machine has been compromised.  Unless you have
>>>> some strange setup that you are logging in as tomcat user.
>>>>
>>>> Please contact me directly if you want me to check.
>>>>
>>>> Meanwhile you might want to have a look in /tmp directory and tomcat8
>>>> home directory to see if there are any strange files there:
>>>>
>>>> ls -ls /tmp
>>>>
>>>> You might find that there is a rogue sshd program that has been
>>>> installed there.  Note that if you are running a very old war file your
>>>> risk of compromise is very high.
>>>>
>>>> Bob
>>>>
>>>> On 10 July 2017 at 05:09, Hannan Khan <hannank@xxxxxxxxx> wrote:
>>>>
>>>>> Dear Experts
>>>>>
>>>>> I have an wired situation. one of our DHIS2 server running older war
>>>>> files (version 16), the OS was outdated and we have to upgrade the OS.
>>>>> After installing new OS Ubuntu 16.04 LTS all necessary component Java 8 and
>>>>> Tomcat 7 was installed by after running war file (version 16) after few
>>>>> minutes the tomcat7 is not operational as the processor use is 100%. there
>>>>> is only 1 user logged in and the application server using 2 processor and
>>>>> DB server is separate.
>>>>>
>>>>> After trying several times I remove tomcat7 and install tomcat 8 with
>>>>> same war file, but situation is same. I called it wired as the db size is
>>>>> quite small, user is only few and the listing showing SSHD command by
>>>>> tomcat8 user is using 100% processor.
>>>>>
>>>>> Any idea about the under line reason? need urgent help. Thank you all
>>>>> in advance.
>>>>>
>>>>> Regards
>>>>>
>>>>> Muhammad Abdul Hannan Khan
>>>>> Team Leader
>>>>> Support to the National HMIS
>>>>> MIS, Director General of Health Service
>>>>> Ministry of Health and Family Welfare
>>>>>
>>>>> T +880-2- 58816459 <+880%202-58816459>, 58816412 ext 118
>>>>> F +88 02 58813 875
>>>>> M+88 01819 239 241
>>>>> M+88 01534 312 066
>>>>> E hannank@xxxxxxxxx
>>>>> S hannan.khan.dhaka
>>>>> B hannan-tech.blogspot.com
>>>>> L https://bd.linkedin.com/in/hannankhan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>
>>
>>
>> --
>> Muhammad Abdul Hannan Khan
>> Team Leader
>> Support to the National HMIS
>> MIS, Director General of Health Service
>> Ministry of Health and Family Welfare
>>
>> T +880-2- 58816459 <+880%202-58816459>, 58816412 ext 118
>> F +88 02 58813 875
>> M+88 01819 239 241
>> M+88 01534 312 066
>> E hannank@xxxxxxxxx
>> S hannan.khan.dhaka
>> B hannan-tech.blogspot.com
>> L https://bd.linkedin.com/in/hannankhan
>>
>>
>>
>>
>


-- 
Muhammad Abdul Hannan Khan
Team Leader
Support to the National HMIS
MIS, Director General of Health Service
Ministry of Health and Family Welfare

T +880-2- 58816459, 58816412 ext 118
F +88 02 58813 875
M+88 01819 239 241
M+88 01534 312 066
E hannank@xxxxxxxxx
S hannan.khan.dhaka
B hannan-tech.blogspot.com
L https://bd.linkedin.com/in/hannankhan

References

Server processor use 100%
From: Hannan Khan, 2017-07-10
Re: Server processor use 100%
From: Bob Jolliffe, 2017-07-10
Re: Server processor use 100%
From: Bob Jolliffe, 2017-07-10
Re: Server processor use 100%
From: Hannan Khan, 2017-07-13
Re: Server processor use 100%
From: Bob Jolliffe, 2017-07-13