Did I get compromised by the recent exploit?

[knappe01]

Hi,

today I've realised that I'm not able to upload attachments bigger than 500 kb or so to zimbra web.

I always get an error message which translates to "File Upload Fault"

I've tried with smaller jpgs and pdfs and they work. First I've checked zimbra's configuration:

Code: Select all

[zimbra@mail log]$ zmprov gacf | grep zimbraMtaMaxMessageSize
zimbraMtaMaxMessageSize: 10240000
[zimbra@mail log]$  zmprov gacf | grep zimbraFileUploadMaxSize
zimbraFileUploadMaxSize: 10485760
zimbraFileUploadMaxSizePerFile: 2147483648

If I understand correctly this should not prevent me from uploading 2 MB attachemts.

I then read more about the exploit that was activley used some while ago and some people report that uploading of attachments isn't working properly anymore after they were compromised. I've already patched it when I first heared about it weeks back but maybe I was too late?

I don't have a file called zmcat or any suspicious shell scripts or any executable files at all in /tmp
I don't have a suspicious crontab entry to /opt/zimbra/lib/zmcheckexpiredcerts, I only have the legit entry for /opt/zimbra/libexec/zmcheckexpiredcerts
I've even gone through the perl script to make sure it's okay.

What more can I check to make sure my system is clean?

[zimico]

Dear,

According to zimbra wiki, please run the following commands to see if there is any abnormal file/action:

Code: Select all

#su - zimbra

$zmcontrol -v

$grep python-requests /opt/zimbra/log/access_log* $ grep downloads /opt/zimbra/log/access_log* | grep -i jsp

$ ls -lrth /var/tmp/*.sh
$ ls -lrth /opt/zimbra/log/*.sh

$ crontab -l | egrep -i ‘zmmailboxdwatch|zmstorewatch’
$ crontab -l | egrep -i ‘\.sh|\.py’

This wiki content is 3/4 months ago, maybe hackers already update their tools...
Regards,