HTTP ERROR 404 Problem accessing /public/error.jsp. Reason: /public/error.jsp

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
gabrieles
Advanced member
Advanced member
Posts: 145
Joined: Tue Feb 14, 2017 9:40 am

Re: HTTP ERROR 404 Problem accessing /public/error.jsp. Reason: /public/error.jsp

Postby gabrieles » Mon May 06, 2019 2:32 pm

Ok, have you looked if your installation is actually compromised?
That 100% cpu, and the crontab issues are typical symptoms of the dblaunchs infection.

viewtopic.php?f=15&t=66089


marcis.rupeiks
Posts: 1
Joined: Mon May 06, 2019 6:36 pm

Re: HTTP ERROR 404 Problem accessing /public/error.jsp. Reason: /public/error.jsp

Postby marcis.rupeiks » Mon May 06, 2019 6:42 pm

look at /var/spool/cron/crontabs/zimbra for cron entrys that downloads script wich download infected file
fialho
Posts: 1
Joined: Mon May 06, 2019 1:00 pm

Re: HTTP ERROR 404 Problem accessing /public/error.jsp. Reason: /public/error.jsp

Postby fialho » Mon May 06, 2019 8:16 pm

gabrieles wrote:I've just restored a compromised customer
Do a quick search under the usual jetty folders:

find /opt/zimbra/jetty/ -type f -name *jsp -mtime -30

If you find files like:
/opt/zimbra/jetty/webapps/zimbra/js/zimbra/csfe/XZimbra.jsp
/opt/zimbra/jetty/webapps/zimbra/public/Ajax.jsp
you've been hacked.
Unlike the previous "zmcat" and "dblaunchs" that actually exploit the vuln and load some sh*t this looks like a bad childish attack. It seems that they delete some files under jetty dir, don't know why.
The attack vector is the same, but, there are no strange processes, there is no persistence.

To clean:
1) Get the package of your version. In our case was an unpatched 8.6
2) Extract the package, find the store rpm or deb. In our case was zcs-NETWORK-8.6.0_GA_1153.UBUNTU14_64.20141215151218/packages/zimbra-store_8.6.0.GA.1153.UBUNTU14.64_amd64.deb
3) Get into the rpm or the package (midnight commander allows browsing deb & rpm) and navigate to the correspondent jetty/webapps/zimbra/public folder
4) Replace the old public folder with the public folder from the package
5) Patch immediately. You modified some files that will be patched so, if you installed some patch before, use ./installPatch.sh --force, to avoid zimbra version control


Hi,
I went through this today and was able to restore access to webmail as instructed. Your help was providential,
thank you very much.

Could you tell how this is possible, what fault is exploited and how to correct it?
I am using version 8.7.0.GA.1659 and preparing to update to the latest version.
Aayush
Posts: 1
Joined: Tue May 07, 2019 9:25 am

Re: HTTP ERROR 404 Problem accessing /public/error.jsp. Reason: /public/error.jsp

Postby Aayush » Tue May 07, 2019 9:29 am

Hello Everyone,

I faced the same problem yesterday. All 14 standalone mail server was throwing the error 404. Luckily i had a backup file. I retrieved the files under /public folder and restarted zimbra. It worked fine. But can anyone tell me why the error occurred ?
WyclifKenya
Posts: 1
Joined: Tue May 07, 2019 9:42 am

Re: HTTP ERROR 404 Problem accessing /public/error.jsp. Reason: /public/error.jsp

Postby WyclifKenya » Tue May 07, 2019 10:00 am

Hello,

I am also affected. Followed the same procedure but I can't seem to get the error.jsp file using midnight commander. I have fetched one from another server with
the same version that I am running but I still get a permissions error even after changing ownership and read/write permissions
mfaktor2
Posts: 4
Joined: Mon May 27, 2019 5:35 pm

Re: HTTP ERROR 404 Problem accessing /public/error.jsp. Reason: /public/error.jsp

Postby mfaktor2 » Mon May 27, 2019 8:31 pm

hi, after i have replaced the public folder i have run patch14 for 8.6.0. Unfortunately i am not able to start zmmailboxdctl anymore. Does someone run into the same issue?

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 19 guests