Zimbra Forums

Hello every one,
Today when I tried to open zimbra through browser I got this error:
HTTP ERROR 404
Problem accessing /public/error.jsp. Reason:

/public/error.jsp
We didn't upgrade/ update the zimbra, and also didn't install any new patches. does anyone have any idea?
thank you

Im having the same problem. anyone got any idea?

farey wrote:Im having the same problem. anyone got any idea?

Solved the problem. Here is the deal. Inside the public folder I have found files which doesn't belong there. Obviously someone has been messing around. So replaced the public folder with an old backup of public folder. Now its working perfectly fine

farey wrote:

farey wrote:Im having the same problem. anyone got any idea?

Solved the problem. Here is the deal. Inside the public folder I have found files which doesn't belong there. Obviously someone has been messing around. So replaced the public folder with an old backup of public folder. Now its working perfectly fine

Unless you know the exact cause of this problem you may not have solved it, you may have been hacked. I'd suggest tou do some further investigation by reading through the sticky C.V.E. thread in this forum.

BTW, I don't really understand why you've posted this in the Zimbra Desktop/Error Reports but it's the wrong forum if you're using ZCS, if you are actually using Zimbra Desktop then please reply to this thread and meanwhile I'll move this to the 'correct' forum.

Hi,

Could you please explain where is the location I have to make this change.

"/opt/zimbra/jetty-distribution-9.3.5.v20151012/webapps/zimbraAdmin/public"

I've just restored a compromised customer
Do a quick search under the usual jetty folders:

find /opt/zimbra/jetty/ -type f -name *jsp -mtime -30

If you find files like:
/opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
/opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp
you've been hacked.
Unlike the previous "zmcat" and "dblaunchs" that actually exploit the vuln and load some sh*t this looks like a bad childish attack. It seems that they delete some files under jetty dir, don't know why.
The attack vector is the same, but, there are no strange processes, there is no persistence.

To clean:
1) Get the package of your version. In our case was an unpatched 8.6
2) Extract the package, find the store rpm or deb. In our case was zcs-NETWORK-8.6.0_GA_1153.UBUNTU14_64.20141215151218/packages/zimbra-store_8.6.0.GA.1153.UBUNTU14.64_amd64.deb
3) Get into the rpm or the package (midnight commander allows browsing deb & rpm) and navigate to the correspondent jetty/webapps/zimbra/public folder
4) Replace the old public folder with the public folder from the package
5) Patch immediately. You modified some files that will be patched so, if you installed some patch before, use ./installPatch.sh --force, to avoid zimbra version control

After replacing jetty directory there is still problem with 100% CPU usage. Seems like digging. Anyone know how to stop it?

I'm really having trouble, this attack happened this weekend!

maillo wrote:After replacing jetty directory there is still problem with 100% CPU usage. Seems like digging. Anyone know how to stop it?

Have you patched? have you done a zmcontrol restart? What process is causing high CPU usage? Less info you give, less help you will get...

Thank you for your help.
I noticed, that zimbra cron file was also modified - /var/spool/cron/zimbra
Instead of normal file content it contained starting zmswatch every 30 min and zmmailboxdwatch every 60 min.
After recovering files from backup it seems to be OK.

At the moment I'm trying to upgrade from 8.7 to 8.8.12 but after starting ./install.sh it hangs.
Any advices?
Thanks again!