CVE-2019-9670 being actively exploited (Hacked Server)
Re: CVE-2019-9670 being actively exploited
Hello Sirs,
Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system. Any ideas ?
#crontab -l-u zimbra
*/60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts
# ls -la /opt/zimbra/lib/zmcheckexpiredcerts
-rwxr-x--- 1 zimbra zimbra 64728 Jun 3 06:24 /opt/zimbra/lib/zmcheckexpiredcerts
# more /opt/zimbra/lib/zmcheckexpiredcerts
******** /opt/zimbra/lib/zmcheckexpiredcerts: Not a text file ********
Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system. Any ideas ?
#crontab -l-u zimbra
*/60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts
# ls -la /opt/zimbra/lib/zmcheckexpiredcerts
-rwxr-x--- 1 zimbra zimbra 64728 Jun 3 06:24 /opt/zimbra/lib/zmcheckexpiredcerts
# more /opt/zimbra/lib/zmcheckexpiredcerts
******** /opt/zimbra/lib/zmcheckexpiredcerts: Not a text file ********
Re: CVE-2019-9670 being actively exploited
Have you considered moiving ZCS config and users to a new ZCS installation? That's easily done with the ZeXtras Migration Tool, it will copy all your users and the ZCS config and none of the current problems you have and you can get yourself onto the most recent ZCS 8.8.12.marnellej wrote:Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system.
Re: CVE-2019-9670 being actively exploited
Hi jaca_sv.jaca_sv wrote:fcourtaud wrote:Clean all of the .jsp, .java and .class you'll find with
Hello fcourtaud,
By "clean all of the .jsp, .java and .class" do you mean delete the suspicious lines or completely delete the files?
All the files found with "request\.getParameter" are not supposed to be in the server?
The best thing is to setup a brand new zimbra (same version) and compare all of the files listed between both installs.
Remove the ones only present on the infected machine and copy the others.
Someone on the forum used this command
grep "if.*equals(" -R /opt/zimbra/mailboxd/
that returns a lot of lines look for the ones looking like
:if ( "YuJb8NsE6pVFNish3_leYERZRwt4Za27GVdS4H2lNZM" .equals(
the string YuJb8NsE6pVFNish3_leYERZRwt4Za27GVdS4H2lNZM won't be the same
Then grep "string found earlier" -R /opt/zimbra/mailboxd
grep "string found earlier" -R /opt/zimbra/jetty
and so on...
Re: CVE-2019-9670 being actively exploited
Hello Bill,phoenix wrote:Have you considered moiving ZCS config and users to a new ZCS installation? That's easily done with the ZeXtras Migration Tool, it will copy all your users and the ZCS config and none of the current problems you have and you can get yourself onto the most recent ZCS 8.8.12.marnellej wrote:Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system.
it's easy, however, it is expensive with many Mailboxes.
600 Mailboxes -> 5000$ per years
it's not so easy
Tedd
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: CVE-2019-9670 being actively exploited
Hi Tedd,
Migrate to new server is recommended by zimbra support team. Why does it cost you $5000 per year? There are several supported ways to do migration. You can use imapsync for free, for example.
Regards,
Minh.
Migrate to new server is recommended by zimbra support team. Why does it cost you $5000 per year? There are several supported ways to do migration. You can use imapsync for free, for example.
Regards,
Minh.
Re: CVE-2019-9670 being actively exploited
Hello,
got hacked too. dealing with it since 28th May, and till i got some time to install a new VM and upgrade till the last version.. to 8.6 P4 then 8.6 P14 and finally the very last major version...job which will begin tomorrow.
I patched onto p14 too late, system was already hacked... no "/opt/zimbra" backups.. only mailboxes..
(i got zmswatch -.sh etc.. and zmcheckexpiredcerts too since today .. )
Question about upgrading a new system from full export backup : >> That's easily done with the ZeXtras Migration Tool
Is that tool enable for this version ?
--> Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P14
Was 8.6 NETWORK edition on P4 before patching, and will certainly be on the future system restored before upgrade.
Thank you in advance if replies about this tool. I will try to find out anyway tomorrow... already read that it shouls be a slow upgrade.. : like -> 8.6, then 8.7.11.. then the next again etc..
Would like to upgrade as soon and fast as possible ^^
regards,
Scrubudu
got hacked too. dealing with it since 28th May, and till i got some time to install a new VM and upgrade till the last version.. to 8.6 P4 then 8.6 P14 and finally the very last major version...job which will begin tomorrow.
I patched onto p14 too late, system was already hacked... no "/opt/zimbra" backups.. only mailboxes..
(i got zmswatch -.sh etc.. and zmcheckexpiredcerts too since today .. )
Question about upgrading a new system from full export backup : >> That's easily done with the ZeXtras Migration Tool
Is that tool enable for this version ?
--> Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P14
Was 8.6 NETWORK edition on P4 before patching, and will certainly be on the future system restored before upgrade.
Thank you in advance if replies about this tool. I will try to find out anyway tomorrow... already read that it shouls be a slow upgrade.. : like -> 8.6, then 8.7.11.. then the next again etc..
Would like to upgrade as soon and fast as possible ^^
regards,
Scrubudu
- zimico
- Outstanding Member
- Posts: 225
- Joined: Mon Nov 14, 2016 8:03 am
- Location: Vietnam
- ZCS/ZD Version: 8.8.15 P3
- Contact:
Re: CVE-2019-9670 being actively exploited
Hi,
With zextras migration tool you can migrate from 8.6 to 8.8.12 directly.
Best regards,
Minh
With zextras migration tool you can migrate from 8.6 to 8.8.12 directly.
Best regards,
Minh
Re: CVE-2019-9670 being actively exploited
marnellej> I confirm i also had /opt/zimbra/lib/zmcheckexpiredcerts /opt/zimbra/lib/zmlogswatch and /opt/zimbra/lib/zmmailboxdwatch in some of my systems.
These files seems not to be destined there.
With Regards
These files seems not to be destined there.
With Regards
Re: CVE-2019-9670 being actively exploited
Same here, on an already patched 8.6 FOSS edition. I've re-cleaned and waiting to restart the server.Drake wrote:marnellej> I confirm i also had /opt/zimbra/lib/zmcheckexpiredcerts /opt/zimbra/lib/zmlogswatch and /opt/zimbra/lib/zmmailboxdwatch in some of my systems.
These files seems not to be destined there.
With Regards
Re: CVE-2019-9670 being actively exploited
Hello, I just noticed that there are two zmcheckexpiredcerts files in my system :
a binary /opt/zimbra/lib/zmcheckexpiredcerts
and a script
/opt/zimbra/libexec/zmcheckexpiredcerts
*/60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts was recently added at the end of /var/spool/cron/crontabs/zimbra
but in /opt/zimbra/zimbramon/crontabs/crontab there is
# SSL Certificate Expiration Checks
#
0 0 1 * * /opt/zimbra/libexec/zmcheckexpiredcerts -days 30 -email
I think the binary is a part of the exploit and the script should be a part of Zimbra.
Can someone confirm it ?
a binary /opt/zimbra/lib/zmcheckexpiredcerts
and a script
/opt/zimbra/libexec/zmcheckexpiredcerts
*/60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts was recently added at the end of /var/spool/cron/crontabs/zimbra
but in /opt/zimbra/zimbramon/crontabs/crontab there is
# SSL Certificate Expiration Checks
#
0 0 1 * * /opt/zimbra/libexec/zmcheckexpiredcerts -days 30 -email
I think the binary is a part of the exploit and the script should be a part of Zimbra.
Can someone confirm it ?