← Back to team overview

dhis2-users team mailing list archive

Re: Bangladesh's main DHIS2 installation hacked and solved

 

Yes Morten, I installed through the package manager.

The tomcat version is Apache Tomcat/7.0.26.

Regards

Hannan


On Thu, Feb 6, 2014 at 12:07 PM, Morten Olav Hansen <mortenoh@xxxxxxxxx>wrote:

> Also make sure that your tomcat is up to date.. there exists several
> vulnerabilities in older versions
>
> (not sure how you installed it, but if you are using a linux distribution,
> its wise to install it through the package manager)
>
> --
> Morten
>
>
> On Thu, Feb 6, 2014 at 1:00 PM, Knut Staring <knutst@xxxxxxxxx> wrote:
>
>> Hannan, which build of DHIS2 ? Which Java version? Ubuntu?
>>
>> Sent from my mobile
>> On Feb 6, 2014 6:29 AM, "Hannan Khan" <hannank@xxxxxxxxx> wrote:
>>
>>> Dear experts
>>>
>>> Our main DHIS2 implementation (mishealth) for the health sector was
>>> hacked yesterday evening, around 4:30 PM local time. After login by any
>>> user it showing the attached message. We immediately stop the tomact7
>>> service and check the database. We find the database is intact.
>>>
>>> After investigation I find that the hacker inserted three files to do
>>> this.
>>>
>>> First file "index.html" contain an alert "alert("Admin, You Are Hacked
>>> by Malaysia Hacker!")"  and a body text <h1>Hacked by BadCat</h1>. Which
>>> was placed in the application folder /tomcat7/webapps/mishealth/.
>>>
>>> Second files "index.html" contain another script which redirects to "
>>> pastebin.com/raw.php?i=LZEdbBz6" was placed in
>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>
>>> Third file "guige.jsp" is contain a script was placed in
>>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
>>>
>>> For our server, it seems that only first file is executing after login.
>>> I find few more suspicious files which I am investigating and will share
>>> with the experts in next few days.
>>>
>>> I configured the server with only external open port is 8080. Other two
>>> ports (SSH and WEBMIN) are open for internal IP only. External access is
>>> possible only through VPN client. According to the firewall maintaining
>>> vendor, that hacker might access through 8080. How we prevent and secure
>>> that?
>>>
>>> I configure the database in other server and that server is only
>>> accessible through one private IP block. The tomcat server, the backup
>>> servers and our administrator/development team are in that block.
>>>
>>> Now please suggest how can we secure our servers more.
>>>
>>> Regards
>>>
>>> Muhammad Abdul Hannan Khan
>>> --------------------------------------------------
>>> Senior Technical Advisor - HIS
>>> Priority Area Health
>>> Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
>>> House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh
>>>
>>> T +880-2- 8816459, 8816412 ext 118
>>> M+88 01819 239 241
>>> M+88 01534 312 066
>>> F +88 02 8813 875
>>> E hannan.khan@xxxxxx
>>> S hannan.khan.dhaka
>>> B hannan-tech.blogspot.com
>>>
>>>
>>
>

Follow ups

References