← Back to team overview

dhis2-users team mailing list archive

Re: Bangladesh's main DHIS2 installation hacked and solved

 

Also make sure that your tomcat is up to date.. there exists several
vulnerabilities in older versions

(not sure how you installed it, but if you are using a linux distribution,
its wise to install it through the package manager)

--
Morten


On Thu, Feb 6, 2014 at 1:00 PM, Knut Staring <knutst@xxxxxxxxx> wrote:

> Hannan, which build of DHIS2 ? Which Java version? Ubuntu?
>
> Sent from my mobile
> On Feb 6, 2014 6:29 AM, "Hannan Khan" <hannank@xxxxxxxxx> wrote:
>
>> Dear experts
>>
>> Our main DHIS2 implementation (mishealth) for the health sector was
>> hacked yesterday evening, around 4:30 PM local time. After login by any
>> user it showing the attached message. We immediately stop the tomact7
>> service and check the database. We find the database is intact.
>>
>> After investigation I find that the hacker inserted three files to do
>> this.
>>
>> First file "index.html" contain an alert "alert("Admin, You Are Hacked by
>> Malaysia Hacker!")"  and a body text <h1>Hacked by BadCat</h1>. Which was
>> placed in the application folder /tomcat7/webapps/mishealth/.
>>
>> Second files "index.html" contain another script which redirects to "
>> pastebin.com/raw.php?i=LZEdbBz6" was placed in
>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>
>> Third file "guige.jsp" is contain a script was placed in
>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>
>> For our server, it seems that only first file is executing after login. I
>> find few more suspicious files which I am investigating and will share with
>> the experts in next few days.
>>
>> I configured the server with only external open port is 8080. Other two
>> ports (SSH and WEBMIN) are open for internal IP only. External access is
>> possible only through VPN client. According to the firewall maintaining
>> vendor, that hacker might access through 8080. How we prevent and secure
>> that?
>>
>> I configure the database in other server and that server is only
>> accessible through one private IP block. The tomcat server, the backup
>> servers and our administrator/development team are in that block.
>>
>> Now please suggest how can we secure our servers more.
>>
>> Regards
>>
>> Muhammad Abdul Hannan Khan
>> --------------------------------------------------
>> Senior Technical Advisor - HIS
>> Priority Area Health
>> Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
>> House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh
>>
>> T +880-2- 8816459, 8816412 ext 118
>> M+88 01819 239 241
>> M+88 01534 312 066
>> F +88 02 8813 875
>> E hannan.khan@xxxxxx
>> S hannan.khan.dhaka
>> B hannan-tech.blogspot.com
>>
>>
>

Follow ups

References