I found too .class files)maxxer wrote:along with them I found also some .class files with the same basename of .javayeeP6rai wrote:Yes... Thanks
CVE-2019-9670 being actively exploited (Hacked Server)
Re: CVE-2019-9670 being actively exploited
Re: CVE-2019-9670 being actively exploited
What about these files
140975184 380 -rw-r----- 1 zimbra zimbra 387528 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/login_jsp.java
134466281 116 -rw-r----- 1 zimbra zimbra 115258 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/launchZCS_jsp.java
140991166 8 -rw-r----- 1 zimbra zimbra 5248 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Resources_jsp.java
141005691 8 -rw-r----- 1 zimbra zimbra 4232 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Boot_jsp.java
141408461 12 -rw-r--r-- 1 zimbra zimbra 11325 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Offline_jsp.java
141444302 32 -rw-r--r-- 1 zimbra zimbra 31401 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/error_jsp.java
1208114647 32 -rw-r----- 1 zimbra zimbra 29461 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/admin_jsp.java
1208114649 8 -rw-r----- 1 zimbra zimbra 5248 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Resources_jsp.java
1208137772 8 -rw-r----- 1 zimbra zimbra 4232 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Boot_jsp.java
140975184 380 -rw-r----- 1 zimbra zimbra 387528 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/login_jsp.java
134466281 116 -rw-r----- 1 zimbra zimbra 115258 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/launchZCS_jsp.java
140991166 8 -rw-r----- 1 zimbra zimbra 5248 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Resources_jsp.java
141005691 8 -rw-r----- 1 zimbra zimbra 4232 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Boot_jsp.java
141408461 12 -rw-r--r-- 1 zimbra zimbra 11325 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/Offline_jsp.java
141444302 32 -rw-r--r-- 1 zimbra zimbra 31401 Apr 11 11:55 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbra/org/apache/jsp/public_/error_jsp.java
1208114647 32 -rw-r----- 1 zimbra zimbra 29461 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/admin_jsp.java
1208114649 8 -rw-r----- 1 zimbra zimbra 5248 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Resources_jsp.java
1208137772 8 -rw-r----- 1 zimbra zimbra 4232 Apr 10 11:59 /opt/zimbra/jetty-distribution-9.1.5.v20140505/work/zimbraAdmin/org/apache/jsp/public_/Boot_jsp.java
Re: CVE-2019-9670 being actively exploited
I don't know if they're original zimbra files or not, but I think so.srekkas wrote:What about these files
Someone in IRC (can't recall exactly) raised the problem that some Zimbra original JSP file were touched by the infection. And it suggested to use package manager to verify file integrity. While I don't recall if the discussion went on, I found way to do that for Ubuntu and RHEL.
For the first
Code: Select all
apt install debsums
dpkg -l zimbra* | grep ^ii | awk '{print $2}' | xargs debsums -c
Code: Select all
rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'
Re: CVE-2019-9670 being actively exploited
some correctionmaxxer wrote:lCode: Select all
rpm -qa zimbra* | xargs rpm -qV - | egrep -E '^.{2}5'
Code: Select all
rpm -qa "zimbra*" | xargs rpm -qV - | egrep -E '^.{2}5'
S = File size changed
M = File mode changed
5 = MD5 checksum changed
L = Symlink changed
U = Owner changed
G = Group changed
T = Modification time changed
c = it is a configuration file that has changed
missing = file is gone.
Re: CVE-2019-9670 being actively exploited
Hi,
How to know if your server is still vulnerable after apply the patch ?
I read the A Saga of Code Executions on Zimbra post and it mentioned that run a command to check the deserialization RCE (zmprov gs `zmhostname` zimbraMemcachedClientServerList). No value have to be returned, is it true?
Thank you for the information.
How to know if your server is still vulnerable after apply the patch ?
I read the A Saga of Code Executions on Zimbra post and it mentioned that run a command to check the deserialization RCE (zmprov gs `zmhostname` zimbraMemcachedClientServerList). No value have to be returned, is it true?
Thank you for the information.
Re: CVE-2019-9670 being actively exploited
Other than apply patch, any workaround which can apply to platform.
Some suggestion of filtering "service/proxy" at Proxy Ngnix. Is it enough?
I observed that hacker will place jsp file at mailbox server. If we change the folder ownership of /opt/zimbra/jetty/webapps/zimbra to other user like zimbraweb while the web application runs under zimbra. The zimbra account only has the read/execute permission. Will it prevent hacker on uploading files to platform?
Some suggestion of filtering "service/proxy" at Proxy Ngnix. Is it enough?
I observed that hacker will place jsp file at mailbox server. If we change the folder ownership of /opt/zimbra/jetty/webapps/zimbra to other user like zimbraweb while the web application runs under zimbra. The zimbra account only has the read/execute permission. Will it prevent hacker on uploading files to platform?
-
- Advanced member
- Posts: 171
- Joined: Sat Sep 13, 2014 12:54 am
- Location: Netherlands
- ZCS/ZD Version: Ubuntu 18.04, 8.8.15_P43
- Contact:
Re: CVE-2019-9670 being actively exploited
I was looking into the possibility of setting HTTP auth on Nginx. It would have to be such that /dav/ is exempt, because Android carddav and caldav can't work with HTTP logins.
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template is rather complex though.
I may also set up an Nginx proxy on another server.
I will post back when I have something useful.
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template is rather complex though.
I may also set up an Nginx proxy on another server.
I will post back when I have something useful.
Re: CVE-2019-9670 being actively exploited
Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
Does it require a valid authenticated user to happen?
Re: CVE-2019-9670 being actively exploited
The second and third posts in this thread have some links in them that give you descriptions of this exploit, you should read them.tin wrote:Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?
Re: CVE-2019-9670 being actively exploited
if you have a vulnerable zimbra installation you're vulnerable, you cannot add mitigation (probably only a WAF could do something). there are several links in the thread with full history of the exploit, and also Zimbra blog has referencestin wrote:Can anyone give a quick description of how this exploit happens?
Does it require a valid authenticated user to happen?