← Back to team overview

dhis2-users team mailing list archive

Re: Bangladesh's main DHIS2 installation hacked and solved

 

Hannan, which build of DHIS2 ? Which Java version? Ubuntu?

Sent from my mobile
On Feb 6, 2014 6:29 AM, "Hannan Khan" <hannank@xxxxxxxxx> wrote:

> Dear experts
>
> Our main DHIS2 implementation (mishealth) for the health sector was hacked
> yesterday evening, around 4:30 PM local time. After login by any user it
> showing the attached message. We immediately stop the tomact7 service and
> check the database. We find the database is intact.
>
> After investigation I find that the hacker inserted three files to do
> this.
>
> First file "index.html" contain an alert "alert("Admin, You Are Hacked by
> Malaysia Hacker!")"  and a body text <h1>Hacked by BadCat</h1>. Which was
> placed in the application folder /tomcat7/webapps/mishealth/.
>
> Second files "index.html" contain another script which redirects to "
> pastebin.com/raw.php?i=LZEdbBz6" was placed in
> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>
> Third file "guige.jsp" is contain a script was placed in
> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>
> For our server, it seems that only first file is executing after login. I
> find few more suspicious files which I am investigating and will share with
> the experts in next few days.
>
> I configured the server with only external open port is 8080. Other two
> ports (SSH and WEBMIN) are open for internal IP only. External access is
> possible only through VPN client. According to the firewall maintaining
> vendor, that hacker might access through 8080. How we prevent and secure
> that?
>
> I configure the database in other server and that server is only
> accessible through one private IP block. The tomcat server, the backup
> servers and our administrator/development team are in that block.
>
> Now please suggest how can we secure our servers more.
>
> Regards
>
> Muhammad Abdul Hannan Khan
> --------------------------------------------------
> Senior Technical Advisor - HIS
> Priority Area Health
> Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
> House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh
>
> T +880-2- 8816459, 8816412 ext 118
> M+88 01819 239 241
> M+88 01534 312 066
> F +88 02 8813 875
> E hannan.khan@xxxxxx
> S hannan.khan.dhaka
> B hannan-tech.blogspot.com
>
>

Follow ups

References