Our main DHIS2 implementation (mishealth) for the health sector was hacked yesterday evening, around 4:30 PM local time. After login by any user it showing the attached message. We immediately stop the tomact7 service and check the database. We find the database is intact.
After investigation I find that the hacker inserted three files to do this.
First file “index.html” contain an alert “alert(“Admin, You Are Hacked by Malaysia Hacker!”)” and a body text
Hacked by BadCat. Which was placed in the application folder /tomcat7/webapps/mishealth/.
Second files “index.html” contain another script which redirects to “pastebin.com/raw.php?i=LZEdbBz6” was placed in the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
Third file “guige.jsp” is contain a script was placed in the /tomcat7/webapps/mishealth/dhis-web-commons/security/.
For our server, it seems that only first file is executing after login. I find few more suspicious files which I am investigating and will share with the experts in next few days.
I configured the server with only external open port is 8080. Other two ports (SSH and WEBMIN) are open for internal IP only. External access is possible only through VPN client. According to the firewall maintaining vendor, that hacker might access through 8080. How we prevent and secure that?
I configure the database in other server and that server is only accessible through one private IP block. The tomcat server, the backup servers and our administrator/development team are in that block.
Now please suggest how can we secure our servers more.
Muhammad Abdul Hannan Khan
hacked_screenshot.docx (153 KB)
Senior Technical Advisor - HIS
Priority Area Health
Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH
House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh
T +880-2- 8816459, 8816412 ext 118
M+88 01819 239 241
M+88 01534 312 066
F +88 02 8813 875