It's easy to find a compromised install because the exploit campaign creates /tmp/zmcat binary on the system. It also downloads two .sh files used to fetch the binary from 185[.]106.120.118.
This is what I found in my nginx access log, so as a temporary mitigation one could block python-requests user agent (other than installing the patch, that is).
Code: Select all
104.168.158.113:48768 - - [02/Apr/2019:11:49:43 +0200] "POST /AutoDiscover/ HTTP/1.1" 503 13388 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48770 - - [02/Apr/2019:11:49:45 +0200] "POST /service/soap HTTP/1.1" 200 1042 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48772 - - [02/Apr/2019:11:49:47 +0200] "POST /service/proxy?target=https://127.0.0.1:7071/service/admin/soap/ HTTP/1.1" 200 1057 "-" "python-requests/2.9.1" "1
0.0.0.5:8443"
104.168.158.113:48774 - - [02/Apr/2019:11:49:49 +0200] "POST /service/extension/clientUploader/upload HTTP/1.1" 200 292 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48776 - - [02/Apr/2019:11:49:51 +0200] "GET /downloads/PS1q.jsp?pwd=bduXyq HTTP/1.1" 200 468 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48778 - - [02/Apr/2019:11:49:53 +0200] "POST /downloads/PS1q.jsp?pwd=bduXyq HTTP/1.1" 200 469 "-" "python-requests/2.9.1" "10.0.0.5:8443"
104.168.158.113:48780 - - [02/Apr/2019:11:49:55 +0200] "GET /img/ikDB.jsp?pwd=4BkLUS HTTP/1.1" 200 470 "-" "python-requests/2.9.1" "10.0.0.5:8443"