Zimbra AJAX Webmail not loading

[pprovasi]

I had the same problem on May 24, 2019 in the afternoon.

With the same errors reported in the logs files.

I have :
zimbra @ exa3: ~ $ zmcontrol -v
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition.

On Monday I applied the AB_Zimbra solution and it worked one day.
Unable to attach files.
On Tuesday May 28, I had to reapply the solution. The problem is recurrent.

Has anyone found the solution?

thank you

[yvespires]

If you cant patch your zimbra follow this to prevent infection: https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/

Block IPS attacking
Kill the process zmswatch
Do not delete the suspicious files, just change permissions.
Remove cron entries
Rename wget, this prevent scripts downloads.
Remove admin accounts.
Change your admin password

[Marcosebas]

Hi guys,

How can I edit the crontab?

[pprovasi]

I had the same problem on May 24, 2019 in the afternoon.

With the same errors reported in the logs files.

I have :
zimbra @ exa3: ~ $ zmcontrol -v
Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition.

On Monday I applied the AB_Zimbra solution and it worked one day.
Unable to attach files.
On Tuesday May 28, I had to reapply the solution. The problem is recurrent.

Has anyone found the solution?

thank you

ZIMBRA - La Solución al Login Predeterminado con Ajax
---------------------------------------------------------------------

Yo tengo Ubuntu Server 14.04 LTS

zimbra@exa3:~$ zmcontrol -v

Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition.


1) Apagar el Zimbra & Apache

$ sudo su

# service apache2 stop

# su - zimbra

$ zmcontrol stop


2) Hacer un Upgrade diario de los parches del Ubuntu hasta que Ubuntu encuentre la solución.

$ sudo apt update
$ sudo apt upgrade


3) Borrar todo el contenido del directorio /tmp incluyendo archivos ocultos


4) Aplicar los permisos

$ sudo su
# chmod -R 0750 webapps/
# chmod 755 /opt/zimbra/data/tmp/upload/


5) Reiniciar el Sistema

$ sudo shutdown -r now



NOTA: A mi me funcionó. Ahora puedo hacer login con Ajax y adjuntar archivos a los mensajes.

No se si el problema no reaparecerá mañana. Ataque externo (Puerta abierta) o Infectado (interno).
Cambien las calves de sus sistemas por mas de 15 caracteres combinando símbolos y números.


COMENTARIOS:
----------------------
Esto no es un problema de Zimbra. La vulnerabilidad tiene que ver con el SO.

El sistema podría estar infectado o tener una puerta abierta.
Todo me lleva a pensar que fue un ataque a través del Apache puerto 443 y 80 y un trabajo muy fino por parte del hacker.

Yo tengo aplicado el Firewall UFW, obviamente con los puertos abiertos para Zimbra.
Por eso digo que es un ataque muy fino.

Habría que aplicar parches al ubuntu a diario.... puesto que seguramente como esto fue reportado a nivel mundial,
ya estarán trabajando en la solución.

Yo lo estaré reportando en Ubuntu también.

Saludos
Pablo

[pprovasi]

We had exactly the same issue. And I saw that the files had the wrong permissions (executable instead of writeable).

Version: 8.7.11_GA_3800.NETWORK

I did the following (as root);
cd /opt/zimbra/mailboxd
find webapps -type d -exec chmod 0755 {} \;
find webapps -type f -exec chmod 0644 {} \;

Then restart Zimbra;
su - zimbra
zmcontrol restart

After that, everything working fine again and no such messages in the logs anymore.

Hello
With this solution the Login with Ajax was reestablished but files can not be attached.

I applied the solution on Monday, and on Tuesday the problem reappeared.

regards

[pprovasi]

ZIMBRA - The Solution to Login Default with Ajax
-------------------------------------------------- ----

I have Ubuntu Server 14.04 LTS

zimbra@exa3:~$ zmcontrol -v

Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition.



1) Stop Zimbra & Apache

$ sudo su

# service apache2 stop

# su - zimbra

$ zmcontrol stop


2) Make a daily upgrade of the Ubuntu patches until Ubuntu finds the solution.

$ sudo apt update
$ sudo apt upgrade


3) Delete all contents of the /tmp directory including hidden files.


4) Apply the permissions.

$ sudo su
# chmod -R 0750 webapps/
# chmod 755 /opt/zimbra/data/tmp/upload/


5) Restart the Operating System

$ sudo shutdown -r now



NOTE: It worked for me. Now I can login with Ajax and attach files to messages.

I do not know if the problem will not reappear tomorrow. External attack (Open door) or Infected (internal).
Change your system's keys for more than 15 characters by combining symbols and numbers.


COMMENTS:
-----------
This is not a Zimbra problem. The vulnerability has to do with the OS.

The system could be infected or have an open door.
Everything leads me to think that it was an attack through the Apache port 443 and 80 and a very fine job by the hacker.

I have applied the UFW Firewall, obviously with open ports for Zimbra.
That's why I say it's a very fine attack.

It would be necessary to apply patches to the ubuntu daily ... since surely as this was reported worldwide,
They will already be working on the solution.

I will be reporting on Ubuntu as well.

Regards
Pablo

[snypden]

under uzer zimbra:
#show all cron jobs
crontab -l

#edit cron jobs
crontab -e

#remove all cron jobs
crontab -r

[willian.barker]

I have the same problem.

This commands bellow fix my problem

I did the following (as root);
cd /opt/zimbra/mailboxd
find webapps -type d -exec chmod 0755 {} \;
find webapps -type f -exec chmod 0644 {} \;

Then restart Zimbra;
su - zimbra
zmcontrol restart


Thanks.

[phoenix]

IThis commands bellow fix my problem

That's not a fix for your problem, if you read through the posts on this topic you'll find your server has been hacked and you need to fix that now.

[koval1986]

Who managed to overcome ZMWATCH completely without return. I have 4 hours and everything comes back!