CVE-2019-9670 being actively exploited (Hacked Server)

[marnellej]

Hello Sirs,

Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system. Any ideas ?

#crontab -l-u zimbra
*/60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts

# ls -la /opt/zimbra/lib/zmcheckexpiredcerts
-rwxr-x--- 1 zimbra zimbra 64728 Jun 3 06:24 /opt/zimbra/lib/zmcheckexpiredcerts

# more /opt/zimbra/lib/zmcheckexpiredcerts
******** /opt/zimbra/lib/zmcheckexpiredcerts: Not a text file ********

[phoenix]

Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system.

Have you considered moiving ZCS config and users to a new ZCS installation? That's easily done with the ZeXtras Migration Tool, it will copy all your users and the ZCS config and none of the current problems you have and you can get yourself onto the most recent ZCS 8.8.12.

[fcourtaud]

Clean all of the .jsp, .java and .class you'll find with

Hello fcourtaud,
By "clean all of the .jsp, .java and .class" do you mean delete the suspicious lines or completely delete the files?
All the files found with "request\.getParameter" are not supposed to be in the server?

Hi jaca_sv.

The best thing is to setup a brand new zimbra (same version) and compare all of the files listed between both installs.
Remove the ones only present on the infected machine and copy the others.

Someone on the forum used this command
grep "if.*equals(" -R /opt/zimbra/mailboxd/

that returns a lot of lines look for the ones looking like
:if ( "YuJb8NsE6pVFNish3_leYERZRwt4Za27GVdS4H2lNZM" .equals(
the string YuJb8NsE6pVFNish3_leYERZRwt4Za27GVdS4H2lNZM won't be the same

Then grep "string found earlier" -R /opt/zimbra/mailboxd
grep "string found earlier" -R /opt/zimbra/jetty

and so on...

[Tedd_DSI]

Found a new script that was added to my CRONTAB, trired removing it but unless we find the source, I'm afraid it will just come back to wreck havok on our system.

Have you considered moiving ZCS config and users to a new ZCS installation? That's easily done with the ZeXtras Migration Tool, it will copy all your users and the ZCS config and none of the current problems you have and you can get yourself onto the most recent ZCS 8.8.12.

Hello Bill,

it's easy, however, it is expensive with many Mailboxes.
600 Mailboxes -> 5000$ per years
it's not so easy

Tedd

[zimico]

Hi Tedd,
Migrate to new server is recommended by zimbra support team. Why does it cost you $5000 per year? There are several supported ways to do migration. You can use imapsync for free, for example.
Regards,
Minh.

[scrubudu]

Hello,

got hacked too. dealing with it since 28th May, and till i got some time to install a new VM and upgrade till the last version.. to 8.6 P4 then 8.6 P14 and finally the very last major version...job which will begin tomorrow.
I patched onto p14 too late, system was already hacked... no "/opt/zimbra" backups.. only mailboxes..
(i got zmswatch -.sh etc.. and zmcheckexpiredcerts too since today .. )

Question about upgrading a new system from full export backup : >> That's easily done with the ZeXtras Migration Tool

Is that tool enable for this version ?
--> Release 8.6.0.GA.1153.UBUNTU14.64 UBUNTU14_64 FOSS edition, Patch 8.6.0_P14

Was 8.6 NETWORK edition on P4 before patching, and will certainly be on the future system restored before upgrade.

Thank you in advance if replies about this tool. I will try to find out anyway tomorrow... already read that it shouls be a slow upgrade.. : like -> 8.6, then 8.7.11.. then the next again etc..

Would like to upgrade as soon and fast as possible ^^
regards,

Scrubudu

[zimico]

Hi,
With zextras migration tool you can migrate from 8.6 to 8.8.12 directly.
Best regards,
Minh

[Drake]

marnellej> I confirm i also had /opt/zimbra/lib/zmcheckexpiredcerts /opt/zimbra/lib/zmlogswatch and /opt/zimbra/lib/zmmailboxdwatch in some of my systems.
These files seems not to be destined there.

With Regards

[fladnar]

marnellej> I confirm i also had /opt/zimbra/lib/zmcheckexpiredcerts /opt/zimbra/lib/zmlogswatch and /opt/zimbra/lib/zmmailboxdwatch in some of my systems.
These files seems not to be destined there.

With Regards

Same here, on an already patched 8.6 FOSS edition. I've re-cleaned and waiting to restart the server.

[Media]

Hello, I just noticed that there are two zmcheckexpiredcerts files in my system :
a binary /opt/zimbra/lib/zmcheckexpiredcerts
and a script
/opt/zimbra/libexec/zmcheckexpiredcerts

*/60 * * * * /opt/zimbra/lib/zmcheckexpiredcerts was recently added at the end of /var/spool/cron/crontabs/zimbra
but in /opt/zimbra/zimbramon/crontabs/crontab there is

# SSL Certificate Expiration Checks
#
0 0 1 * * /opt/zimbra/libexec/zmcheckexpiredcerts -days 30 -email

I think the binary is a part of the exploit and the script should be a part of Zimbra.
Can someone confirm it ?