Yes Morten, I installed through the package manager. The tomcat version is Apache Tomcat/7.0.26.
Regards Hannan On Thu, Feb 6, 2014 at 12:07 PM, Morten Olav Hansen <morte...@gmail.com>wrote: > Also make sure that your tomcat is up to date.. there exists several > vulnerabilities in older versions > > (not sure how you installed it, but if you are using a linux distribution, > its wise to install it through the package manager) > > -- > Morten > > > On Thu, Feb 6, 2014 at 1:00 PM, Knut Staring <knu...@gmail.com> wrote: > >> Hannan, which build of DHIS2 ? Which Java version? Ubuntu? >> >> Sent from my mobile >> On Feb 6, 2014 6:29 AM, "Hannan Khan" <hann...@gmail.com> wrote: >> >>> Dear experts >>> >>> Our main DHIS2 implementation (mishealth) for the health sector was >>> hacked yesterday evening, around 4:30 PM local time. After login by any >>> user it showing the attached message. We immediately stop the tomact7 >>> service and check the database. We find the database is intact. >>> >>> After investigation I find that the hacker inserted three files to do >>> this. >>> >>> First file "index.html" contain an alert "alert("Admin, You Are Hacked >>> by Malaysia Hacker!")" and a body text <h1>Hacked by BadCat</h1>. Which >>> was placed in the application folder /tomcat7/webapps/mishealth/. >>> >>> Second files "index.html" contain another script which redirects to " >>> pastebin.com/raw.php?i=LZEdbBz6" was placed in >>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/. >>> >>> Third file "guige.jsp" is contain a script was placed in >>> the /tomcat7/webapps/mishealth/dhis-web-commons/security/. >>> >>> For our server, it seems that only first file is executing after login. >>> I find few more suspicious files which I am investigating and will share >>> with the experts in next few days. >>> >>> I configured the server with only external open port is 8080. Other two >>> ports (SSH and WEBMIN) are open for internal IP only. External access is >>> possible only through VPN client. According to the firewall maintaining >>> vendor, that hacker might access through 8080. How we prevent and secure >>> that? >>> >>> I configure the database in other server and that server is only >>> accessible through one private IP block. The tomcat server, the backup >>> servers and our administrator/development team are in that block. >>> >>> Now please suggest how can we secure our servers more. >>> >>> Regards >>> >>> Muhammad Abdul Hannan Khan >>> -------------------------------------------------- >>> Senior Technical Advisor - HIS >>> Priority Area Health >>> Deutsche Gesellschaft für Internationale Zusammenarbeit (GIZ) GmbH >>> House10/A, Road 90, Gulshan 2, Dhaka 1212, Bangladesh >>> >>> T +880-2- 8816459, 8816412 ext 118 >>> M+88 01819 239 241 >>> M+88 01534 312 066 >>> F +88 02 8813 875 >>> E hannan.k...@giz.de >>> S hannan.khan.dhaka >>> B hannan-tech.blogspot.com >>> >>> >> >
_______________________________________________ Mailing list: https://launchpad.net/~dhis2-devs Post to : dhis2-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~dhis2-devs More help : https://help.launchpad.net/ListHelp