Malicious uploaded files to dhis. Tomcat bug or dhis?

Hi all,

In the server we found some strange files, definitely malicious.

How could they upload them to dhis2 folder? Any one have the same problem?

Hi Thanh

Never seen this. But to answer how they could be uploaded to your folder, there are many many ways.

First check that they are not bundled in your war file to start with (Just to be paranoid I just rechecked the standard download from dhis2.org). ie. be sure it is not the developer who is unwittingly (or wittingly!) spreading this.

Then you need to tell us more about how your tomcat is deployed and on what.

Basically you are looking at two possibilities - your operating system is compromised and the offending items have been copied in to the webapps folder. There are obviously a couple of ways this could happen. Or a weakness is being exposed by an application running on the webserver itself.

The second is more likely. The first would assume that you really do have enemies who want to get you and know how (I guess not to be dismissed!) whereas the second would be more likely to be a robotic sort of attack which targets your server for the simple reason that it is vulnerable.

A quick checklist:

  1. Is tomcat running as root user? I see this so many times. Do not run it as root as if it is compromised the damage cannot be easily limited

  2. Are you running the tomcat manager application? My guess is that probably it would require the manager application to be able to make such modifications to existing webapps. And there are many known vulnerabilities to this which are being revealed and plugged regularly. If you must run it then you need to secure which ips have access to it and not expose it the internet. Note if you just downloaded tomcat binary as is from the internet and unpacked that in all its glory you will be running the manager by default.

  3. Are you running behind a proxy (nginx/apache)? You should always do this as it can provide an additional layer of protection to your tomcat (performance protection with caching, transport protection with ssl, tomcat misconfiguration protection). To be really effective of course you make sure tomcat is only listening on localhost interface.

  4. Are you using ssl to protect passwords?

There’s lots of other good avice here http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html .

Don’t destroy the audit trail when you clean up after this mess - ie. keep a copy of all log files as the offending jsps. Then start again, carefully.

Have you looked in to the contents of those files? Could be there are clues there …

Bob

···

On 22 October 2013 05:30, Ngoc Thanh Nguyen thanh.hispvietnam@gmail.com wrote:

Hi all,

In the server we found some strange files, definitely malicious.

How could they upload them to dhis2 folder? Any one have the same problem?


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp

Excellent Bob. i think we use tomcat manager. Then it is the problem.

···

On Tuesday, October 22, 2013, Bob Jolliffe bobjolliffe@gmail.com wrote:

Hi Thanh
Never seen this. But to answer how they could be uploaded to your folder, there are many many ways.

First check that they are not bundled in your war file to start with (Just to be paranoid I just rechecked the standard download from dhis2.org). ie. be sure it is not the developer who is unwittingly (or wittingly!) spreading this.

Then you need to tell us more about how your tomcat is deployed and on what.
Basically you are looking at two possibilities - your operating system is compromised and the offending items have been copied in to the webapps folder. There are obviously a couple of ways this could happen. Or a weakness is being exposed by an application running on the webserver itself.

The second is more likely. The first would assume that you really do have enemies who want to get you and know how (I guess not to be dismissed!) whereas the second would be more likely to be a robotic sort of attack which targets your server for the simple reason that it is vulnerable.

A quick checklist:

  1. Is tomcat running as root user? I see this so many times. Do not run it as root as if it is compromised the damage cannot be easily limited
  2. Are you running the tomcat manager application? My guess is that probably it would require the manager application to be able to make such modifications to existing webapps. And there are many known vulnerabilities to this which are being revealed and plugged regularly. If you must run it then you need to secure which ips have access to it and not expose it the internet. Note if you just downloaded tomcat binary as is from the internet and unpacked that in all its glory you will be running the manager by default.
  1. Are you running behind a proxy (nginx/apache)? You should always do this as it can provide an additional layer of protection to your tomcat (performance protection with caching, transport protection with ssl, tomcat misconfiguration protection). To be really effective of course you make sure tomcat is only listening on localhost interface.
  1. Are you using ssl to protect passwords?
    There’s lots of other good avice here http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html .

Don’t destroy the audit trail when you clean up after this mess - ie. keep a copy of all log files as the offending jsps. Then start again, carefully.
Have you looked in to the contents of those files? Could be there are clues there …

Bob

On 22 October 2013 05:30, Ngoc Thanh Nguyen thanh.hispvietnam@gmail.com wrote:

Hi all,
In the server we found some strange files, definitely malicious.

How could they upload them to dhis2 folder? Any one have the same problem?
</mail/u/0/s/?view=att&th=141dfa22127061b9&attid=0.1&disp=emb&realattid=ii_141de6c36edfbe55&zw&atsh=1>


Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

Nguyễn Ngọc Thành

I didn’t say it is the problem. Just one likely vulnerability in your setup. But do get rid of it and any other demo applications or whatever which might be running.

···

On 22 October 2013 11:38, Ngoc Thanh Nguyen thanh.hispvietnam@gmail.com wrote:

Excellent Bob. i think we use tomcat manager. Then it is the problem.

On Tuesday, October 22, 2013, Bob Jolliffe bobjolliffe@gmail.com wrote:

Hi Thanh
Never seen this. But to answer how they could be uploaded to your folder, there are many many ways.

First check that they are not bundled in your war file to start with (Just to be paranoid I just rechecked the standard download from dhis2.org). ie. be sure it is not the developer who is unwittingly (or wittingly!) spreading this.

Then you need to tell us more about how your tomcat is deployed and on what.
Basically you are looking at two possibilities - your operating system is compromised and the offending items have been copied in to the webapps folder. There are obviously a couple of ways this could happen. Or a weakness is being exposed by an application running on the webserver itself.

The second is more likely. The first would assume that you really do have enemies who want to get you and know how (I guess not to be dismissed!) whereas the second would be more likely to be a robotic sort of attack which targets your server for the simple reason that it is vulnerable.

A quick checklist:

  1. Is tomcat running as root user? I see this so many times. Do not run it as root as if it is compromised the damage cannot be easily limited
  2. Are you running the tomcat manager application? My guess is that probably it would require the manager application to be able to make such modifications to existing webapps. And there are many known vulnerabilities to this which are being revealed and plugged regularly. If you must run it then you need to secure which ips have access to it and not expose it the internet. Note if you just downloaded tomcat binary as is from the internet and unpacked that in all its glory you will be running the manager by default.
  1. Are you running behind a proxy (nginx/apache)? You should always do this as it can provide an additional layer of protection to your tomcat (performance protection with caching, transport protection with ssl, tomcat misconfiguration protection). To be really effective of course you make sure tomcat is only listening on localhost interface.
  1. Are you using ssl to protect passwords?
    There’s lots of other good avice here http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html .

Don’t destroy the audit trail when you clean up after this mess - ie. keep a copy of all log files as the offending jsps. Then start again, carefully.
Have you looked in to the contents of those files? Could be there are clues there …

Bob

On 22 October 2013 05:30, Ngoc Thanh Nguyen thanh.hispvietnam@gmail.com wrote:

Hi all,
In the server we found some strange files, definitely malicious.

How could they upload them to dhis2 folder? Any one have the same problem?

</mail/u/0/s/?view=att&th=141dfa22127061b9&attid=0.1&disp=emb&realattid=ii_141de6c36edfbe55&zw&atsh=1>


Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp


Nguyễn Ngọc Thành

Hello BOB,

Hi Thanh

Never seen this. But to answer how they could be uploaded to your folder, there are many many ways.

First check that they are not bundled in your war file to start with (Just to be paranoid I just rechecked the standard download from dhis2.org). ie. be sure it is not the developer who is unwittingly (or wittingly!) spreading this.

Then you need to tell us more about how your tomcat is deployed and on what.

Basically you are looking at two possibilities - your operating system is compromised and the offending items have been copied in to the webapps folder. There are obviously a couple of ways this could happen. Or a weakness is being exposed by an application running on the webserver itself.

The second is more likely. The first would assume that you really do have enemies who want to get you and know how (I guess not to be dismissed!) whereas the second would be more likely to be a robotic sort of attack which targets your server for the simple reason that it is vulnerable.

It seems you have joined some couple and short of short range, medium range and long range Inter Continental Ballistic Missile (ICBM) type of development programmer or some short of Polar Satellite Launch Vaicle (PSLV) type of programme . I would rather and perhaps suggest you to focus in diameter of more likely in mother and child health application development programme for life saving things only.

Agreed, heavy weighted .jsp had never been part of DHIS 2 application development from the beginning and should be excluded and should use more general velocity templates as the standard coding convention used in DHIS 2 application development.

A quick checklist:

  1. Is tomcat running as root user? I see this so many times. Do not run it as root as if it is compromised the damage cannot be easily limited

  2. Are you running the tomcat manager application? My guess is that probably it would require the manager application to be able to make such modifications to existing webapps. And there are many known vulnerabilities to this which are being revealed and plugged regularly. If you must run it then you need to secure which ips have access to it and not expose it the internet. Note if you just downloaded tomcat binary as is from the internet and unpacked that in all its glory you will be running the manager by default.

  3. Are you running behind a proxy (nginx/apache)? You should always do this as it can provide an additional layer of protection to your tomcat (performance protection with caching, transport protection with ssl, tomcat misconfiguration protection). To be really effective of course you make sure tomcat is only listening on localhost interface.

  4. Are you using ssl to protect passwords?

There’s lots of other good avice here http://tomcat.apache.org/tomcat-7.0-doc/security-howto.html .

Don’t destroy the audit trail when you clean up after this mess - ie. keep a copy of all log files as the offending jsps. Then start again, carefully.

Have you looked in to the contents of those files? Could be there are clues there …

Bob

···

On Tuesday, 22 October 2013 3:39 PM, Bob Jolliffe bobjolliffe@gmail.com wrote:

On 22 October 2013 05:30, Ngoc Thanh Nguyen thanh.hispvietnam@gmail.com wrote:

Hi all,

In the server we found some strange files, definitely malicious.

How could they upload them to dhis2 folder? Any one have the same problem?


Mailing list: https://launchpad.net/~dhis2-devs

Post to : dhis2-devs@lists.launchpad.net

Unsubscribe : https://launchpad.net/~dhis2-devs

More help : https://help.launchpad.net/ListHelp


Mailing list: https://launchpad.net/~dhis2-devs
Post to : dhis2-devs@lists.launchpad.net
Unsubscribe : https://launchpad.net/~dhis2-devs
More help : https://help.launchpad.net/ListHelp

Regards,
Brajesh Murari