Search found 11 matches
- Tue May 28, 2019 1:04 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
Have a read over the whole thread.... I'll give a few thoughts here, but this is not everything... You've most likely got a cron job re-downloading the malicious script. There may also be malicious js files scattered through the jetty/webapps folders. I found uninstalling wget and curl stopped the s...
- Wed May 22, 2019 3:40 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
I just checked our backups from the day our web interface was broken... Not sure if it's a backup from while it was broken or not, but I found this: Only in webapps/zimbra/downloads: 05x6.jsp Only in webapps/zimbra/downloads: 51Qi.jsp Only in webapps/zimbra/downloads: jfyJ.jsp Only in webapps/zimbra...
- Sat May 18, 2019 3:02 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
403 could be damaged webapps (cant think of the exact path off the top of my head) folder. We had to replace ours from a backup after mystery jsp files appeared. Rename the current folder (while zimbra is stopped) and put the backup from before it broke in place (remember to check permissions too). ...
- Fri May 10, 2019 3:13 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
We had no *known* signs of damage when we patched. I checked the entire list known at the time and saw no matching symptoms. It was about 3 days after that some additional files appeared. And then a few days later, more changes (including the cron job). Our server does not have SSH access from outsi...
- Fri May 03, 2019 5:01 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
I just found more modified files on our server (8.7 patched).... That appeared today, modified about 20 minutes ago (right while I was catching up on this thread, ironically). And /var/tmp/zmcat has now appeared. This was not present when we patched, nor was it present when we found our web interfac...
- Mon Apr 29, 2019 4:48 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
We're running 8.7.11. I will probably restore the jetty folder from a backup on Monday. Or is that a bad idea? Well, I renamed the old "webapps" directory, made a new empty one, and restored just that folder... Got the web interface back to working... For us anyway. I'm not convinced we'r...
- Sat Apr 27, 2019 11:08 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
I'm fairly sure there was nothing wrong with ports - we'd had a similar 403 issue last year that was caused by wrong ports.... This time it looks like the exploit has broken the web interface, and being the weekend I haven't looked into it yet. Monday job.
- Fri Apr 26, 2019 10:56 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
We're running 8.7.11. I will probably restore the jetty folder from a backup on Monday. Or is that a bad idea?maxxer wrote:If you're on 8.6 there's an additional patch (P14) for IMAPtin wrote:Is there another exploit/bug?
- Fri Apr 26, 2019 8:30 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
So I patched and restarted the server on Monday night... Seemed to work, and all was working on Tuesday. Today I got a call asking if I knew why it was coming up with 403 (which it certainly wasn't on Tuesday). After much reading of logs and looking at whether ports were misconfigured, I decided to ...
- Mon Apr 22, 2019 4:42 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 632052
Re: CVE-2019-9670 being actively exploited
Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
Does it require a valid authenticated user to happen?