Search found 7 matches

by lucadevac
Tue May 21, 2019 10:18 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited (Hacked Server)
Replies: 248
Views: 630635

Re: CVE-2019-9670 being actively exploited

halfgaar wrote:Smart.

Are you still in a position to do 'diff -r' on the dirs? I'd like to see the difference.
sorry i'm not. because the hacked server was already removed.
By the way from what I have seen, there was some file missing: hostedlogin.jsp, authorize.jsp and access.jsp for sure.
by lucadevac
Mon May 20, 2019 1:39 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited (Hacked Server)
Replies: 248
Views: 630635

Re: CVE-2019-9670 being actively exploited

403 could be damaged webapps (cant think of the exact path off the top of my head) folder. We had to replace ours from a backup after mystery jsp files appeared. Rename the current folder (while zimbra is stopped) and put the backup from before it broke in place (remember to check permissions too)....
by lucadevac
Fri May 17, 2019 1:26 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited (Hacked Server)
Replies: 248
Views: 630635

Re: CVE-2019-9670 being actively exploited

Because from there (https://wiki.zimbra.com/wiki/Enabling_Zimbra_Proxy_and_memcached) i see: This command sets mail.domain.com as the public hostname to be used for access to all domains in the Zimbra directory: zmprov mcf zimbraPublicServiceHostname mail.domain.com so it's look like global already....
by lucadevac
Fri May 17, 2019 1:20 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited (Hacked Server)
Replies: 248
Views: 630635

Re: CVE-2019-9670 being actively exploited

Yes MYDOMAIN is something like "mail.MYDOMAIN.COM". so FQDN.

But i can't understand what you mean with "global" set of zimbraPublic* value
Please, can you point me to the right command to do that?

thank you
by lucadevac
Fri May 17, 2019 12:26 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited (Hacked Server)
Replies: 248
Views: 630635

Re: CVE-2019-9670 being actively exploited

yes they are:

zmprov mcf zimbraPublicServicePort 443
zmprov mcf zimbraPublicServiceProtocol https
zmprov mcf zimbraPublicServiceHostname MYDOMAIN
by lucadevac
Fri May 17, 2019 12:03 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited (Hacked Server)
Replies: 248
Views: 630635

Re: CVE-2019-9670 being actively exploited

If i login into the administrative interface with the URL: https://MYDOMAIN:7071/zimbraAdmin/ I can enter into the administrative panel. But if I try to enter with the URL: https://MYDOMAIN:7071 or only https://MYDOMAIN i always receive 403 error. Also if, from the administrative area I try to see t...
by lucadevac
Fri May 17, 2019 10:12 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited (Hacked Server)
Replies: 248
Views: 630635

Re: CVE-2019-9670 being actively exploited

Hi all, and thank you for this great thread. Actually we have got some trouble with this CVE. On an our server (8.7.11) that I have just patched with the latest patch (8.7.11_P11) just right 2 fuc_ing days ago. Maybe i think that the attacked got me a couple of day before the patch. We have already ...