Zimbra Forums

Have a read over the whole thread.... I'll give a few thoughts here, but this is not everything... You've most likely got a cron job re-downloading the malicious script. There may also be malicious js files scattered through the jetty/webapps folders. I found uninstalling wget and curl stopped the s...

I just checked our backups from the day our web interface was broken... Not sure if it's a backup from while it was broken or not, but I found this: Only in webapps/zimbra/downloads: 05x6.jsp Only in webapps/zimbra/downloads: 51Qi.jsp Only in webapps/zimbra/downloads: jfyJ.jsp Only in webapps/zimbra...

403 could be damaged webapps (cant think of the exact path off the top of my head) folder. We had to replace ours from a backup after mystery jsp files appeared. Rename the current folder (while zimbra is stopped) and put the backup from before it broke in place (remember to check permissions too). ...

We had no *known* signs of damage when we patched. I checked the entire list known at the time and saw no matching symptoms. It was about 3 days after that some additional files appeared. And then a few days later, more changes (including the cron job). Our server does not have SSH access from outsi...

I just found more modified files on our server (8.7 patched).... That appeared today, modified about 20 minutes ago (right while I was catching up on this thread, ironically). And /var/tmp/zmcat has now appeared. This was not present when we patched, nor was it present when we found our web interfac...

We're running 8.7.11. I will probably restore the jetty folder from a backup on Monday. Or is that a bad idea? Well, I renamed the old "webapps" directory, made a new empty one, and restored just that folder... Got the web interface back to working... For us anyway. I'm not convinced we'r...

I'm fairly sure there was nothing wrong with ports - we'd had a similar 403 issue last year that was caused by wrong ports.... This time it looks like the exploit has broken the web interface, and being the weekend I haven't looked into it yet. Monday job.

maxxer wrote:

tin wrote:Is there another exploit/bug?

If you're on 8.6 there's an additional patch (P14) for IMAP

We're running 8.7.11. I will probably restore the jetty folder from a backup on Monday. Or is that a bad idea?

So I patched and restarted the server on Monday night... Seemed to work, and all was working on Tuesday. Today I got a call asking if I knew why it was coming up with 403 (which it certainly wasn't on Tuesday). After much reading of logs and looking at whether ports were misconfigured, I decided to ...

Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?